locked credit card

Image source: Kingwealth Planning

Clients are required to comply with PCI (Payment Card Industry) Security Standards to ensure a secure payment card environment.

By default, Microsoft Dynamics CRM Online does not support the processing, transmitting, or storing of PCI-governed data such as credit card numbers.

Refer to this article for more info.

However, for this project, we had a requirement by the client to have this done within Dynamics CRM Online.

To do this in Dynamics CRM Online we had to:

  • Generate an X509 certificate in order to encrypt credit card details
  • Create a webresource to store this certificate within Dynamics CRM
  • Create a plugin that retrieves the webresource certificate, gets the customer’s credit card details when it is saved on a form and encrypts it using the certificate, then finally, saves the encrypted information in Dynamics CRM Online.

This method is based on Jamie Miley’s blog post a while ago (RESPECT!).

I figure, I’d like to update and expand on this, as well as provide an example of this use for credit card encryption.

Part 1: We will have a look at creating a certificate in Dynamics CRM and retrieving it in a plugin.

A bit about public key encryption and certificates

Obviously for security reasons, credit card details cannot be stored as they are in the database. So we need to encrypt that info (make it in unreadable form) first and then store it in the CRM.

The method to do this is to use public key encryption where a X509 certificate needs to be generated.

With public key encryption, two keys are created, one public, one private. Anything encrypted with either key can only be decrypted with its corresponding key. Therefore, if credit card details were encrypted with the server’s private key, it can be decrypted only by using its corresponding public key, ensuring that the data only could have come from the server.

A certificate includes information about the key and is usually signed by a trusted Certificate Authority (CA) which ensures that the certificate holder is really who he claims to be. Without a trusted signed certificate, the data may be encrypted. However, the party you are communicating with may not be whom you think.

Steps for Storing Credit Card Details

Obtain a X509 certificate and store in Dynamics CRM

As mentioned before, we need to generate a certificate. Doing this is beyond the scope of this blog post. You can have a look at this article to generate one for testing purposes: How to create X509 certificates for testing.

Once you have your certificate, you will need to store it in CRM.

DO NOT INSTALL IT. Instead, right click on it and Edit it in Notepad to get the text of the certificate.

certificate - storing credit card details

Copy the block of text starting from —BEGIN CERTIFICATE— to —END CERTIFICATE

certificate 2

Navigate to your webresources section in CRM and create a New webresource.

Paste the text of the certificate in the Text Editor and save is as type Data (XML)

It should look like this:

edit web resources content

edit web resources content 2

Create the Plugin

We intend to encrypt the data BEFORE we save to the database so this needs to be a PRE operation plugin.

This is very important to ensure that no real customer credit card data is stored in the CRM db at any time.

Assuming that you are familiar with creating a plugin, this is how it should look like:

  1. Get the credit card values from the form after the Save operation

  1. Create a function to retrieve the certificate webresource from CRM to encrypt data by getting the values of the ‘content’ field.

This is where the contents of the certificate is stored. It is actually stored in Base64 string format and you will need to convert this later on (Part 2).

 

Part 2: Will focus on encrypting the credit card details and masking the data in CRM

To be continued…