Exporting Customer Accounts with Passwords

[warrisr]

We are probably going to be moving to a fully hosted ecommerce system. (Volusion) Nothing to do with Zen Cart. In fact we are very happy with Zen Cart overall and would prefer not to change, but it is getting harder and harder to keep everything PCI compliant. We would much rather focus on our business, rather than constantly deal with security patches, broken code caused by security patches and other bizarreness caused by security patches.

In any case, our database contains about 5,000 customer records that we need to move to the new service. From our tests so far, this does not appear to be a problem, except for the customers passwords. I can see no way of moving these out of Zen Cart and into Volusion as they are encrypted.

Telling 5,000+ customers that their passwords no longer work is not really a pleasant nor practical option, so how does one go about migrating passwords from one system to another?

Ron

[DrByte]

Zen Cart's passwords cannot be unencrypted. They are encrypted using a one-way encryption method. This provides maximum security to the customer's private personal data.
If you must retain those passwords, you'll have to alter the password-encryption code in your other system if you want it to be able to authenticate using the passwords currently in your database.

If your issue is with PCI compliance, then perhaps you're hosted in the wrong place. There are several hosting companies out there maintaining solid PCI compliance while still offering shared hosting services to their clients operating busy Zen Cart stores.

[warrisr]

Thank you for the prompt reply.

We are hosted with Peer1, a fairly well established hosting service. The problem is not them being able to keep the system patched and up to date. The problem is more about the side effects that the patches cause and the constant struggle to satisfy our PCI compliance provider.

Even though Peer1 is very diligent in being sure the system is fully patched and PCI compliant. There is a very serious breakdown in communications between the patched system and the PCI compliance providers scanner. Security updates are not necessarily reported during system scans, and as a result we fail the compliancy scan every quarter. This triggers days and weeks of back and forth emails between me, Peer1 and the PCI compliance provider trying to prove to the compliancy provider that we are fully secured.

This past quarters scan was the last straw, as our PCI compliancy provider is now insisting that we actually install a patch that will break the automatic updating process provided by Red Hat. They tell us that we will just have to be sure that all released patches are manually installed instead.

Bottom line is, I have had enough of it. We are going to move to a fully hosted service and they can take care of all the PCI compliancy and constant software upgrade/patch/fix headaches. I just want to sell my products.

Sorry for sounding off on this, but it has been a rough summer.

I guess we will have to let 5,000 customers know that their old password will no longer work. No wonder people get so frustrated sometimes with online companies. Best practises for password migration should of been worked out by the industry as a whole years ago.

Ron