HELIOS V10 - Encryption Update

[Andy]

Now I am getting this second and third hand, but I understand, based on comments made by Tony to others, that the encryption of the Client Address Line is being removed from V10.

I further understand that the encryption of the EFT Account Number is going to remain. I understand that the reasons relate to enhancing security to protect the confidentially of the Customers EFT Account Number.

This causes me to wonders,

If this is the reason, why was this not a priority during the prior 14 years of Helios existence, or at least the portion of that time that the EFT record existed.

With the ability now in V10 to Mask the EFT account number from view outside of Master Edit, the only issue that remains is inappropriate use of the Database by unauthorized persons. I believe there are alternative approaches besides encryption to ensure the appropriate security of customer information.

There are many applications dealing with Credit Card numbers that do not encrypt the storage of data in a database - mask, in part or in full and/or encrypt the display, YES - but not the database.

The recourse available to a Credit Card holder is nearly absolute and the trackability of such inappropriate use would make this type of fraudulent act subject for the "Dumbest Crimes" TV show.


My concern regarding the encryption of the EFT Account Number within YOUR Helios Database remains.

With this encryption, you will I believe, be forced to use an EFT Process Provider of Helios choosing. You will not, based on my understanding at this time, be able to export the EFT data from YOUR Database and process it as you wish.

[Andy]

Further discussion and exchange on this topic on TanToday

http://64.70.201.68/cgi-bin/ubb/ultimatebb.cgi?ubb=get_topic&f=31&t=0002 36

In the above thread Sparky, provided information from a conversation he had with Tony at Helios, below are my responses to the good information that Sparky gathered.[ This Message was edited by: Andy @ ATSO.ca on 2002-07-10 14:21 ]

[Andy]

The last "4" #'s suggestion you have made is a REALLY good idea, I believe, and a very common approach regarding Credit Card masking.

I wonder which User Defined Field, I am personally aware of Users that have Skin Type in any one of the first 3 User Defined fields. I am also aware of Clients that have other "significant" data that relates to the POS processing. Shared With is an example, One User with a number of locations have one of the fields used for "Membership #" and verify this against a Membership card that is not the Helios Client Number. etc etc.

Again, with respect I offer an alternative design of the POS Screen that allows all 5 User Defined fields to be relocated back onto the Primary POS screen. It also deals with an number of other issues reflected in the HELIOS V10 - POS Screen thread.


Encrypting EFT Account Number from the Licensed User of the Software WITHIN the Database is required by VISA/MC ?? - that sounds like an Oxymoron to me - who has the data for entry. Stranger things have proven to be true (like the DMCA) - I shall investigate.

I know that transmission of the client data over communication lines is recommended to be protected - that is one of the reasons all data (not just the EFT Account Number) is encrypted in the Information Packets transferred by Salon Net between your stores and your central office.


A third alternative for Data Extract is to use a product like Salon Wizard to do custom reporting and data extraction from your Helios Databases. Salon Wizard is a "sister" product to Salon Net. It is intended for a single location salon owners and/or multi location salon owners that do not require the Central consolidated database and/or the replication of data between salons.

Anyone interested in an online demo of Salon Wizard can contact me at the number below or email me contact information, I will get back to you. Do not let cost be an issue or hestitation, very good news for the first 100 Salon Owners that are interested in looking at Salon Wizard.


A new dongle that will work with both V9.4 and V10 - I agree a good idea to ensure that the upgrade when ready and appropriate for use is restricted to Users that have paid for the right to have access to it.

_________________

Andy Thompson
ACT Business Solutions
Toll-Free 877-777-6717
andy@atso.ca
ACT Help Center [ This Message was edited by: Andy @ ATSO.ca on 2002-07-11 06:21 ]

[Andy]

None of the VISA/MC utilities that we have encountered or reviewed allow encryption of account numbers within the database.

This is a total bogus argument, as to the best of my knowledge, no account number only encryption system exists for any CC vendor.

Nearly all vendors require that the transport file be secured in some way (zipped with a password, while very weak is one of the most common methods). Primary storage of the account information is never encrypted, not even on large systems like peoplesoft or sbs.

Protecting the database in case of theft is a good excuse, but falls apart when the user cannot set the encryption key.

For this argument to be valid, the Helios database (not the application) should have a password set by the user on it (just like Salon Net's transport files are encrytped during transfer). With the Helios V10 encryption scheme, once it is broken by someone (be that legal or not), then everyone's system has been compromised! Since Helios do not appear to be allowing changing of keys for the encryption, this is a moot argument.


It would appear that the ONLY reason this is being done in V10, as it adds next to zero value for customers or users, and actually removes a lot of features (you can no longer search or sort by account number ... you can no longer send your data to an independant supplier of your choosing) is to provide Helios/ETS the ability to control who processes EFT transactions stored in the Helios application.

Why is that of concern to them, if they have a preferred or recommended EFT Processor - Fine - if they receive a percentage of your fees paid for providing a convenient and highly automated interface to that vendor - Fine.

BUT, for there to be no alternative but for you to process with their "authorized" processor(s) and if Helios receive what would have to be a considerable "TAX" on that processing, that would certainly put a different perspective on the concept of "Free Software".

_________________

Andy Thompson
ACT Business Solutions
Toll-Free 877-777-6717
andy@atso.ca
ACT Help Center [ This Message was edited by: Andy @ ATSO.ca on 2002-07-10 19:10 ]

[Andy]

The address line encryption may not be out of the woods yet.

At about 5pm ET this afternoon I received a phone call from John Keffner at ETS.

He wanted to know who my source was that told me that Tony said that the Address Line encryption was being removed from V10.

I advised that other than the post made on TanToday in the Helios 10 Coming Soon????????? thread by Rich C - I did not feel comfortable sharing the other Users Names with him without their permission.

Quote:
Rich C posted on 7/10/2002 at 8:04am ET:

Tony told me that the versions being used now with the encrypted address lines are just demo versions and that there was nothing to worry about with the main one that would ship. Crossing fingers.

He seemed to be under the impression that it may have been an ETS/Helios employee. It was not - all three were Helios Users.

John advised me that the decision regarding the Address Line encryption has not been made as yet.

So regarding your ability to process your Mass Mailing as your wish - no solution yet.

	Buy Spray Tan Solution www.spraytan.com - Wholesale spray tan solution for tannings salons and mobile spray tan professionals. Lowest prices on premium Bronzz™ spray tan solution. Booth or airbrush tanning.

[Andy]

Kimmee on STC posted:

Quote:Looks like we may have to start shopping around again???


and I replied:

or communicate to Helios your opinion and concern about these issues.

If I have misstated any fact, I stand to be corrected.

My intent was and is to inform Helios Users that may otherwise not have been aware of the encryption until they exported their EFT data for processing - CAN YOU IMAGINE, the impact on their CASH FLOW.


Now this truly is not an issue until V10 Dongles become available, so NOW is the time to get the word out and have as many Helios Users as possible (including those who may not visit "the boards") take the appropriate actions and BE AWARE.

[Chippp]

Thanks again!

[TANtalize]

Thank you Andy and others.

I cannot understand why Helios/ETS feels the need to be so secretative about their new upgrades.

If they are trying to see the software to salon owners, shouldn't they be open to all questions and concerns.

I have found in life that when someone tries to hide information that there is usually a reason for this action.

[Drew D]

Andy,
I;ve been promised v.10 since I was out at ETS last year.
Anyway, my brother-in-law is a very experiance programer and is developing an add on data base product for Helios so I can get reports out of that will mean something to me and my business. Right now the reporting system is weak at best. I'm going to use it in my salon and was just wondering if you think their might be a market for a shrink wraped version of the product? Any feedback would be appreciated.

[Andy]

DrewD, first sorry for the slow response - I have been on the road this week and just returned to the office last night.

I know what you mean about most Salon Owners needing more and/or improved reporting above that offered within the Helios application.

Salon Net and Salon Wizard offer significant additional reporting and the ability for the Salon Owner to add their own custom reports - all of this Web based.

The Solarsoft Website provides info on the Report Showcase from within the Salon Net and Salon Wizard products.


Make sure your programmer is aware of the new Database structure within V10 (when it is finally OFFICALLY released) and also make sure he is aware that at this time the Address Line and EFT Account Numbers are encrypted in V10 and will not be usable in reports and exports.