Encrypting customer information in commerce database

Vote:
 

Hi,

I am trying to find the best approach regarding encryption of customer information in the commerce database (name, email, phone number, shipping address, billing address)?

Basically, someone owning a backup of the commerce database should not be allowed to acess any customer information.

  • Is EPiServer offering any support for encrypting sensitive customer information?
  • Would you recommend encrypting the email address, given that it's linked to the username and therefore to the CMS database?

Thank you,

Roxana

#116099
Jan 23, 2015 9:35
Vote:
 

For the first question, Commerce database can use SQL Server encryption to encrypt/decrypt data. One example is the CreditCard information, which is encrypted by default.

Unfortunately, use encryption means your database will not be Azure - compatible (because SQL Azure does not support encryption), and there's no easy way to indicate a specific customer information is encrypted (Which is unlike the encryption option for metafield, you only need to turnon the value when you create it).

I think the simpler way for you is to extend CustomerContact class and use encryption in Application level, instead of use database-level encryption.

Regards.

/Q

#116167
Jan 26, 2015 7:41
Vote:
 

Hello Quan,

Thank you for your response. I was also thinking about using the application level encryption, though I was wondering whether EPiServer offers any support (aside from the metafield encryption).

Thank you,

Roxana

#116172
Jan 26, 2015 9:48
Vote:
 

You could use the MachineKey.Protect() method for this.

Frederik

#116405
Edited, Jan 29, 2015 16:33
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.