Both Storefront 2.0.500 and CenPOS are addressing security concerns over cross-scripting in certain fields. The solution involves those applications disallowing certain characters which can be used for this kind of attack in specific vulnerable fields. Those applications will either entirely reject any transaction that includes the disallowed characters, or they will strip the characters, possibly resulting in discrepancies between FACTS and the application.
To properly handle these changes, FACTS customers need to identify the offending data in the effected fields and change the data to an acceptable value.
FACTS 9.1.1 will include the tools to do this. When we do rollout training, we will show them in detail, but here is an overview:
Data Class Control Setup (SME640) will now include the ability to specify whether the customer wants to limit what characters are allowed for each data class. When establishing the allowed characters, the program will search all existing data for values that violate the allowed characters and will show the user the offending values. The user can then use that list and the Generic Data Changer to fix those offending values.
Once all offending values have been fixed, the user can finish updating the data class to implement the limitations. Thereafter, users will only be allowed to enter characters on the allowed list for the data class.
This new feature can be used for other purposes as well. For example, if you wanted to only allow numeric values for a customer number, you could set the allowed characters for the customer number data class to the 10 digits.
Again, more details will be provided when the release is ready, but I wanted you all to be aware of the coming change and the requirements for anyone implementing Storefront 2.0.500 or CenPOS.
Tim
