search

mollie / magento2

Mollie Payments for Magento 2
https://www.mollie.com
Other
98 stars 50 forks source link

Mollie stores not encrypted user bank account data within Magento #623

Closed HenKun closed 1 year ago

HenKun commented 1 year ago

Describe the bug Insales_order_payment table in additional_information column, customer's bank account data is stored for SOFORT payments (and maybe others?) in an unencrypted way.

e.g.

"details":"{"consumerName":"XXX","consumerAccount":"DE52XXX","consumerBic":"SOLXXX"}"

I am not sure this is legal in all countries due to PSD2 things and privacy regulations. Since it is not visible in frontend, module users might not be aware of this. Even if it IS legal, if these information is not used anywhere in the system, it need not be stored imho.

Used versions

To Reproduce Steps to reproduce the behavior:

  1. Create order
  2. Pay by "Sofort"
  3. Go to database into sales_order_payment
  4. See column additional_information

Expected behavior Only private data is stored that is actually used or has a usecase. If possible that required data should be encrypted.

Actual behavior Bank account data is store in clear text.

Frank-Magmodules commented 1 year ago

Thank you for bringing up this matter. Although the module code itself may not require the storage of this information, it could potentially be utilized in downstream systems, such as direct refunds, that do not involve Mollie. 

While I acknowledge that this occurrence may not be ideal without the merchant's awareness, we plan to enhance the situation by implementing encryption by default. 

Additionally, we may provide an option for the merchant to restore the current behavior if they depend on it.

Frank-Magmodules commented 1 year ago

Hello @HenKun,

We're pleased to inform you that the latest version of the Mollie plugin now includes the feature you requested. In the advanced section of the plugin, you will find an option to "Encrypt payment details" which you can enable to secure these details.

We hope this solution meets your requirements. For now, we will mark this issue as resolved. However, if you require further assistance, please feel free to reopen the issue.