Setting Up Encryption

If you process credit card or bank accounts payments directly (through on-site payment gateways or bank transfers), customer credit card and bank account numbers are stored in the Parallels Customer and Business Manager database. To protect billing account data, turn on the encryption in Business Manager on the All Settings > Encryption Settings page.

Important: Due to security considerations, if the encryption is turned off, Business Manager does not save billing account data to the database. This makes automatic charging of customer accounts impossible.

To encrypt the billing accounts data, the system uses an encryption key that consists of two parts:

• Private encryption key. The system generates it automatically when you turn on the encryption.
• Encryption key passphrase. You should choose it and enter it manually.

Configuring the Encryption

Depending on the desired level of security, you can vary certain encryption settings. The stronger encryption security settings are required, for example, for meeting the Payment Card Industry Data Security Standard - an industrial standard that lists requirements for the payment processing systems. To learn more about configuring Business Manager in compliance with PCI DSS, refer to the document Meeting PCI DSS Requirements for Plesk Panel.

Namely, the encryption security settings are the following:

• Private encryption key storage. This parameter defines where Business Manager will store the working copy of the private key on the server. You have two options:
  • File system. This option is selected by default. It minimizes the risk of losing the key though this option is less secure.
  • Memory. This option is a stronger security measure. However, in this case, the key may be lost if the memory is flushed, for example, after the server reboot. If this happens, the system becomes unable to perform automatic payments and asks the private key owner to upload it in order to restore this ability. Thus, if you choose this option, the system obliges you to download the key before it actually turns on the encryption. Be sure to keep your copy of the key in a safe place to be able to upload it when needed.

    While the private key exists on the server, it is available for downloading on the page All Settings > Encryption Settings > Download Key.

• Owner of the encryption key. To improve the system security, you may share the secret key parts between two administrators. This is done in the following way:
  1. Go to All Settings > Encryption Settings > Turn On Encryption and specify the encryption settings, including the Passphrase. You become the owner of the passphrase.
  2. Select another administrator as the Owner of the encryption key and click Turn On.
  3. After the owner logs in to Business Manager, Business Manager notifies them about their role and offers them to download the key.
  4. Once they download the private key, the encryption is turned on.

  The owner of the encryption key is the only person who is able to download the key or upload it if it is lost from the server.

• Encryption key expiration period. Specify the time interval after which Business Manager will prompt you to renew the encryption key as described below. However, if you do not renew the key, the system will continue using the current key.

Renewing Encryption Keys

If the expiration date of your encryption key comes or you suspect that unauthorized persons might have access to your key, you should renew it. The key renewal operation changes the key used for encrypting data and makes the current key useless. The tool for the key renewal is located on the All Settings > Encryption Settings > Renew Key page.