sync: auto-sync from GURU-5070 at 2026-06-03 15:55:57

Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-03 15:55:57

wiki/clients/glaztech.md

@@ -124,8 +124,9 @@ A full read-only security assessment of the Glaztech e-commerce web application
 
 - **`cc_file` (~780 saved cards):** Full PAN stored in plaintext in every per-office database (`glaz_prod`, `glaz_prod_phx`, `glaz_prod_slc`, `glaz_prod_elp`, `glaz_prod_den`, `glaz_prod_alb`, `glaz_prod_boi`, `glaz_prod_brl`, `glaz_prod_shp`, `glaz_prod_corp`). Zero encrypted rows. `cc_file.cc_code` retains CVV/CID (50/54 rows in tuc; mirrors expected in all offices). **CVV retention is a PCI Req 3.2 violation — indefensible; no exception even if encrypted.**
 - **`cof_payments_header` (historical payments):** Phoenix alone: 14,496 rows, 11,794 plaintext PANs. Tuc: 2,245 rows, ~367 plaintext + ~597 formatted. Years of transaction history with recoverable card numbers.
-- **Why cards are stored:** Card-on-file invoice auto-pay. `i_get_cc_on_file_invoices` joins `invoice` × `cc_file`; `gt_auto_process_2020.dll` reads stored PANs and bills them via CyberSource. Stale copies in `Old_bin`/`Old_code\Bin`. **Feature can be preserved by migrating to CyberSource token vault — store a token reference instead of the raw PAN.**
-- **Containment:** Exposure is limited to the 15 custom web-app databases on 192.168.8.62. The Sage 100 ERP DB (`mas_gti`) uses proper tokenization (`CreditCardGUID`, `Last4Unencrypted`, `EncryptedCreditCardNo`) and is materially compliant. **Database backups also contain plaintext PANs — cleanup must address backups, not just live data.**
+- **Why cards are stored:** Card-on-file invoice auto-pay. `i_get_cc_on_file_invoices` joins `invoice` × `cc_file`; `gt_auto_process_2020.dll` reads stored PANs and bills them via CyberSource. `get_cc_data` is `SELECT * FROM cc_file` (returns full PAN+CVV; IDOR-shaped on `@acctno`). Stale copies in `Old_bin`/`Old_code\Bin`. **Feature can be preserved by migrating to the chosen processor's token vault — store a token reference instead of the raw PAN.**
+- **Containment:** Exposure is limited to the 15 custom web-app databases on 192.168.8.62. The Sage 100 ERP DB (`mas_gti`) stores **no** cardholder data — its native CC module is **disabled** (`SY_Company.CreditCardEnable=N`, `AR_CustomerCreditCard`=0 rows; tokenization columns exist in the schema but are unused). **Database backups also contain plaintext PANs — cleanup must address backups, not just live data.**
+- **Processor reality (verified 2026-06-03):** despite a belief that processing moved to "Payrilla/Paya," the website is **still on CyberSource/PNC** (no Payrilla anywhere in site code/config) and **still writing plaintext cards daily** (`cc_file` last write tuc 2026-06-03 14:15, phx 10:19; live `CC-WebPayment-PNC` txns today). Sage's CC module is off. Payrilla, if used, is a **separate channel not visible in either system and not connected to the website** — the website exposure is unchanged. Anomaly: `cc_file` absent in the `corp` DB though present earlier 2026-06-03 — needs a look.
 
 ### Authentication — Plaintext Passwords
 
@@ -171,7 +172,7 @@ Obtain a customer login (LOW difficulty — no lockout, guessable username = acc
 5. Hash all passwords (PBKDF2/bcrypt/Argon2); replace email-the-password flow with reset-token flow; force global reset
 6. Parameterize all concatenated SQL in payment pages; delete `quo()`
 7. Add Secure+HttpOnly cookies, session regeneration on login, login throttling/lockout
-8. Migrate card-on-file to CyberSource token vault; purge/encrypt historical `cc_number` columns; address backups
+8. Migrate card-on-file to the chosen processor's token vault (CyberSource or the new provider — confirm which flows actually route through "Payrilla"); purge/encrypt historical `cc_number` columns; address backups
 
 **Structural:**
 9. Separate dev from production; deploy precompiled; remove SDKs/IDE/source from prod host