18 January 2022

Data security in the Tinx E-commerce Connector

There are many parties with an incentive to view, control, or even take your data hostage. No surprise therefore that data security is a hot topic. Just recently someone hacked the University of Applied Sciences in Arnhem and Nijmegen, whilst retail company Media Markt also fell victim to ransomware. With regards to their E-commerce connector, how does Tinx-IT deal with data security? Our colleague René Donkers explains how this is done.

Before we start, could you briefly explain what the Tinx E-Commerce Connector does?

“We have developed standard integration software that works within the Microsoft Dynamics 365 Business Central ecosystem to link systems together, mainly E-commerce web stores. Using the connector, companies can easily exchange data between Business Central (BC) and their e-commerce platform. We currently service Magento, Shopify, WooCommerce, and CloudSuite webshops. Using Application Programming Interface (API) calls, BC mapping, and data transformation, we can link two different software systems together.”

How does this connection between BC and a webshop get established?

“By using API calls, software interfaces that allow two very different applications to communicate with each other. Virtually all modern e-commerce platforms offer API support, and our software uses this interface to send information back and forth. To access the API, we use tokens, created on the webshop side, that authorizes the BC instance to exchange data.”

What data do you send through these e-commerce connectors?

“To the webshop BC sends all kinds of data: customer, order, and product data such as basic information, extensive stock information, and prices. Within BC this information is downloaded and transformed into for example new customer registrations or orders. This data is sent or downloaded via messages in XML or JSON format.”

Passwords and credentials are not being sent.

“Company-critical data such as payment information always goes through a payment provider such as Multi Safe Pay, Adyen, Mollie, etc. As such, the payment itself is handled on the webshop side. BC only receives data about the payment, the amount, and what payment type was used”

Are there differences between on-premise and cloud databases in terms of security?

“In terms of data security, not really. Ultimately, data security in Business Central itself is organized by Microsoft. On the functional side, there are various ways to use and increase security. Users can be allowed or disallowed to access (parts of) the system, permission sets can be used (i.e., what rights does a user have in BC), as well as user role centers (i.e., what are users allowed to see). Technically, the main difference is how the installation of the Tinx software is done. With on-premises versions, a runtime app is installed, whereas, for cloud versions, the Tinx apps are installed via Microsoft AppSource. Besides that, however, it is similar. All data is sent via web APIs such as Simple Object Access Protocol (SOAP) or Representational State Transfer (REST). These APIs are secured via HTTPS and an SSL layer, which ensure data being sent is always encrypted.”

Could you explain in broad terms how data transfer between a webshop and Business Central works?

“In the cases of Magento, Shopify, and WooCommerce, an SSL certificate is used for the webshop. After the Tinx connector is installed, we send a request to the webshop, to check whether the SSL certificate is valid, and BC understands the communication. With a valid certificate, the webshop returns a key to BC, with which we encrypt the data being sent.”

So what if the webshop is hacked? Is my data still safe?

“The secure connection is always initiated by BC towards the webshop. Periodic communication takes place via the standard Job Queue functionality in BC. With the Job Queue, BC checks whether information needs to be updated and sent (i.e., a push request) or downloaded in BC (i.e., a pull request). Both systems function always separately from each other, the Tinx connector just ensures that this bi-lateral communication is possible. A data connection is never established with BC from the webshop side. So, if the webshop is hacked, hackers cannot access important data within BC. Of course, securing the webshop itself is just as important. Suggestions to do this could range from strong passwords, HTTPS encryption, regular backups, and installing a firewall.”

And how would backups be organized on the webshop side?

“The Shopify SaaS version does its own backups. With Magento, the company that has built the webshop can create a backup. Companies can also choose for their hosting party to run regular backups. Even though this is standard practice these days for webshop builders, it’s always good to check this. At Tinx we often work with the various Magento hosting parties, such as Hypernode, Byte, Hipex, and Digital Ocean. SAVII, for example, is a reliable supplier for WooCommerce hosting.”

To what extent would you describe the security of data safety & security within Tinx?

“We attach great importance to data safety and security. We do our utmost to develop software that is as safe and secure as possible. This means using standard web protocols when connecting with 3rd party systems and adhering to Microsoft’s guidelines when writing software.”