Please note: CEM is an optional extra available for $210
Cactusoft Encrypted Mail (CEM) uses the Data Encryption Standard in either single or triple mode (56 or 168 bit strength respectively) to encrypt orders sent from your CactuShop installation. The mails are decrypted using a private key and application that runs on the receiving computer. This process ensures that emails that include credit card details cannot be read en route as they pass through numerous computers on their way to the store owner.
The CEM system consists of two parts. The first is script-based encryption that can run on standard ASP-enabled web space. It can encrypt an order in a matter of a few seconds, depending on the web server's processor and system resources. CEM uses an established and proven algorithm rather a weak, untested proprietary encryption.
CEM secures the order emails sent from CactuShop. The form where credit card details are entered must still be secured using SSL (Secure Sockets Layer) in order for the site as a whole to be secure. CEM comes with two sets of scripts, one for use if you have your own secure certificate on your CactuShop web site, and the other to use if you have a secure area on another domain or web server (often called a 'shared' secure server).
A small application (.exe) is installed on the computer that receives the orders from the site. Incoming orders appear as email attachments, which when opened will spring up in the CEM decryption program. From here they can be saved or printed. The decryption software runs on Windows only (95/98/ME/NT/2000/XP/2003).
The encryption module can encrypt using either 168 bit Triple DES or 56 bit DES (both in Cipher-Block-Chaining mode with an initialization vector). The module is implemented as an ASP (VB) Script and therefore can be used on shared ASP webspace; no DLLs or ActiveX components are required to be installed. The main disadvantage of implementing the code as a script is speed - 56 bit DES takes a couple of seconds to encrypt a typical order from our demo store. Triple DES takes about 3 times as long. We would suggest that standard 56 bit DES is still strong enough to make attacks impossible in practice (some UK banks accept 40 bits). The addition of order encryption to a site will certainly make a drastic improvement to its security. Because of the speed issue, we would not advise that our encryption system be used for very busy high volume sites or large emails.
Customers intending to use CEM should check with their bank to ensure that their credit card merchant agreement permits use of such a system. The security of a web site that implements CEM depends heavily on the physical and electronic security of the secure web server and the store owner's computer and network, as well as the configuration of Cactusoft software. We would always recommend a remote payment gateway as the most secure option since the credit card details are confined to the payment gateway.