MiniVend has several features that enable secure ordering via SSL (Secure Sockets Layer). Despite their mystique, SSL servers are actually quite easy to operate. The difference between the standard HTTP server and the SSL HTTPS server, from the standpoint of the user, is only in the encryption and the specification of the URL -- https: is used for the URL protocol specification instead of the usual http: designation.
IMPORTANT NOTE: MiniVend attempts to perform operations securely, but no guarantees or warranties of any kind are made! Since MiniVend comes with Perl source, it is possible to modify the program to create bad security problems. One way to minimize this possibility is to record digital signatures, using
MD5 or
PGP, of
minivend, minivend.cfg, and all modules included in minivend. Check them on a regular basis to
ensure they have not been changed.
MiniVend uses the SecureURL directive to set the base
URL for secure transactions, and the VendURL directive for normal non-secure transactions. Secure URLs can be enabled
for forms through a form action of
[process-target secure=1]. An individual page can be displayed via
SSL with [page href=mvstyle_pagename secure=1].
A certain page can be set to be always secure with the AlwaysSecure catalog.cfg directive.
MiniVend incorporates additional security for credit card numbers. The field mv_credit_card_number will not ever be written to disk.
To enable automated encryption of the credit card information, you need to define the directive CreditCardAuto to yes. EncryptProgram also needs to be defined with some value, one which will, with hope, encrypt the number. PGP is now recommended above all other encryption program. The entries should look something like:
CreditCardAuto Yes EncryptProgram /usr/bin/pgpe -fat -r sales@company.com
See CreditCardAuto for more information on how to set the form variables.