PCI Compliance and TN database

Hi All,

We are assessing our PCI compliance and one of our non compliant status is that we receive orders that goes directly in the TN database as non-encrypted format (BLOB can be converted easily in clear XML text) and those files may contains credit card number.

Our first approach was to take the orginal content and replace the credit card information by either an encrypted values or even an Internal ID that would be generetad from a Web Service that would have registered the credit card number in a secure environment.

I though that we could change the original content in TN database, but many posts in this forums tells me that I don’t want to do that.

So what would be a good approach to get rid of credit card information but keeping the rest of the information. Note that we have a business need to keep those files for verifications so we need to be able to open (and somethimes reprocess) a file received from a partner.

Would it be best to archive in a different database and just delete the content from trading network?


Yes, I don’t think existing content in the TN database is meant to be modified. However, you can modify your TN receive services (For eg: wm.tn:receive) to replace credit card numbers in new documents with a GUID by querying/manipulating the input ‘node’ before the call to ‘wm.tn.doc:recognize’. The GUID <–> creditcard mapping would be stored in a different, more secure, database. When the TN document is to be sent onward, a service is called to do the reverse mapping that replaces the GUID with the real CC number.

This would enable document reprocessing to work but would suppress the card being displayed through TN Console or WmTNWeb.

Picusson -

We’ve done a similar mechanism to what Sonam suggested as well. We have a wrapper to the wm.tn:receive service and that wrapper does some CC Num scrubbing before hand in the cases we need to encrypt that data. The main difference is we don’t use an external storage for the CC num, rather we replace the contents in the XML with an encrypted value.

And you are right - you can’t modify the TN Bizdoc Content. We opened up tickets with wM to get a straight answer to this and finally got the “No, you can’t.”