TIPS & KNOWLEDGE BASE

E-COMMERCE SPECIALISTS SINCE 1996

Weekly Security Checkup Issues with Miva 10 and How To Fix Them

Weekly Security Checkup

If you’re a Miva store owner/operator, by this point you’ve likely updated your site to the new Miva 10, or one of it’s later version updates (now up to Miva 10.00.06!). If you’re not a Miva store owner/operator, you aren’t going to have much use for this article…but you’re welcome to stick around! If you have updated your site, you’ve probably received an email from Miva with the subject line Weekly Security Checkup. The list of passes and fails in that email probably look intimidating, but this article will cover how to fix them.

Weekly Security Checkup Email

The list of security passes and fails in the email you receive from Miva may look something like this:


PA-DSS Checklist Review

The following PA-DSS tests passed:

  1. Miva Empresa Version v5.34 or Newer
  2. Miva Empresa Debug Logging Disabled
  3. Primary Database Using MySQL or PostgreSQL
  4. Primary Database Activity Logging Disabled
  5. Private Keys Stored in Secondary Database
  6. Private Key Database Password Encrypted
  7. Private Key Database Activity Logging Disabled
  8. All User Passwords Strongly Encrypted
  9. Force Password Change After 90 Days or Less
  10. Password Minimum Length 7 Characters or Greater
  11. Passwords Require at Least one Letter and one Number or Punctuation Character
  12. Users May Not Reuse Their Last 4 or More Passwords
  13. Administrative Users Locked out After 6 or Fewer Invalid Login Attempts
  14. Administrative Users Invalid Login Lockout Interval 30 Minutes or Greater
  15. All Administrative Users / Store Managers have Two-Factor Authentication Enabled
  16. Production Upgrade Stream
  17. Order Encryption Enabled For all Stores
  18. Current Order Encryption Key uses Latest Encryption Method

The following PA-DSS tests failed:

  1. Primary Database not Located on Web Server
  2. Primary Database Password Encrypted
  3. Private Key Database on Different Server Than Primary Database
  4. Administrative Sessions Expire After 15 Minutes or Less of Inactivity
  5. Current Order Encryption Key Less Than 1 Year Old For all Stores

Depending on how your site is set up, you may have different items on your pass/fail lists. Regardless, you probably have some questions.

What is PA-DSS?

You’re likely wondering what PA-DSS is. It’s an acronym for Payment Application Data Security Standard. Adhering to this security standard is part of PCI compliance – making sure your site is as secure as possible to protect your business and your users’ data.

Why Am I Getting This Email?

If you’re concerned over the sudden arrival of these emails, don’t be. They are new with the release of Miva 10 and are made to help ensure your store is locked down properly. Your site isn’t necessarily suddenly failing all sorts of security protocols that it once passed. Very likely, nothing has changed.

In fact, this security checkup isn’t all that new. While the emails may be a recent addition to your Miva experience, the platform has always used some form of this list. It’s been tucked away in your Miva admin, and still is. If you accidentally delete the email, or just want to view your list of passes and fails, you can find it in your Domain Settings section under the PA-DSS tab.

What Happens If I Fail Tests?

Immediately? Nothing. You likely won’t experience any instant repercussions for failing PA-DSS tests. However, non-compliance can cause serious issues and fines for you, especially if you end up with a data breach. This list of tests will not only protect Miva from liability, but will also help you to remain secure in a time where cyber security is more important than ever.

How To Fix Weekly Security Checkup Issues

Many of the issues that arise with this Weekly Security Checkup email will likely be beyond your familiarity with Miva – they aren’t things you have to deal with often, or maybe ever! It’s not expected that you would recognize many of the issues that might come up with this security check. 

Miva does provide a document explaining what each of the tests address and you can find that information here, if you really want to know.

We won’t go into exhaustive detail about what the tests are for; we’d rather just provide you some easy steps to pass them. Further to that point, we’re only going to go over the tests that you can resolve yourself. 

If you fail a test that isn’t mentioned below, you are likely going to need to reach out to Miva for instruction or a resolution; there are items on this list that only they can fix..

Primary Database Password Encrypted

Failing this test means your database isn’t properly password protected. In order to resolve this, follow these steps: 

  1. Log into your Miva admin.
  2. In the search bar at the top of the page, search for Encrypt.
  3. Select the Wizard: Encryption Key Migration option.
Encryption Migration Wizard
  1. The Wizard will open in a new window. When you reach the second step of the Wizard, you’ll be asked what type of migration you’d like to perform. Select the first option: Leave Private Keys in their Current Location.
Encryption Migration Wizard
  1. Proceed with the rest of the Wizard. Your next Weekly Security Checkup should show that the test passes.

All User Passwords Strongly Encrypted

If your Miva admin user passwords haven’t been updated in a while, you may fail this test. To correct it, you’ll have to reset the passwords for all your users.

  1. Log into your Miva admin.
  2. Open the Settings menu in the bottom left corner.
  3. Select User Management
Weekly Security Checkup Settings
  1. Use the checkbox to select the first user.
  2. Click the “ “ menu and select the Change Password option. Each user will have to be done one at a time.
Weekly Security Checkup Change password
  1. Enter a new password and turn on the Force Password Change at Next Login toggle.
Weekly Security Checkup Change password

Password Setting Tests

  • Force Password Change After 90 Days or Less
  • Password Minimum Length 7 Characters or Greater
  • Passwords Require at Least one Letter and one Number or Punctuation Character
  • Users May Not Reuse Their Last 4 or More Passwords

Miva – in accordance with the Payment Card Industry Security Standards Council -now requires more complex passwords for security. Older user accounts may not have complex enough passwords. They need to be 7 characters or longer, and include letters, numbers and punctuation in order to meet PCI security standards.

To ensure security, your user passwords should reset every 90 days or less, be new, unique, and complex. 

  1. Log into your Miva admin.
  2. Open the Settings menu in the bottom left corner.
  3. Select Domain Settings.
  4. Scroll down to the Password Settings section. 
  5. Make any necessary changes to correct the failed tests.
  6. Click the Update button in the top right corner to save your changes.
Password Settings

Administrative User Tests

  • Administrative Sessions Expire After 15 Minutes or Less of Inactivity 
  • Administrative Users Locked out After 6 or Fewer Invalid Login Attempts
  • Administrative Users Invalid Login Lockout Interval 30 Minutes or Greater

It may be a little annoying that Miva kicks you out of the admin after 15 minutes of inactivity, but that time limit is important for PA-DSS security. The same applies for users who enter the wrong password and get locked out. In order to pass these tests on your Weekly Security Checkup, adjust your timeout settings. 

  1. Log into your Miva admin.
  2. Open the Settings menu in the bottom left corner.
  3. Select Domain Settings.
  4. Scroll down to the Timeouts section. 
  5. Adjust the values as needed.
  6. Click the Update button in the top right corner to save your changes.
Timeout Settings

Order Encryption

  • Order Encryption Enabled For all Stores
  • Current Order Encryption Key Less Than 1 Year Old For all Stores
  • Current Order Encryption Key Created Post-Upgrade For all Stores

Encrypting your orders helps to ensure that if there is a data breach, the order data in your system will be safe. The encryption needs to be enabled and less than a year old. When you create your encryption key, the key (or password) will need to be complex. 

Any order that was placed under the old encryption key will require that key to access. This means that in the future, if you need to access the payment data for an old order, you will have to enter the old key. 

When you create your new key, you will be given the chance to enter a hint. This hint will help you to know which key to use in the event you do have to access old order information.

  1. Log into your Miva admin.
  2. In the search bar at the top of the page, search for Encrypt.
  3. Select the Wizard: Create Encryption Key option.
  4. Follow along with the steps to create your new key. 
Encryption Key Wizard

Did You Fail a Weekly Security Checkup Test That Isn’t Listed Above?

First of all, don’t panic! There are several items on this checkup that you can’t resolve yourself. If you run into a failed test that you can’t resolve, let us know. We should either be able to address it for you, or point you in the right direction.

Leave a Reply

Your email address will not be published. Required fields are marked *