7.6 Security Improvements Testing
Salesforce is making a number of security updates for online forms. These have been optionally available since Winter '20 release and will be enforce in early March of 2020.
These updates require a number of minor setup changes and should take an Admin about 30 minutes to apply. Without these configuration changes, the following publicly accessible forms will be impacted:
- Peer-to-Peer fundraising registration
Before applying the updates to production, we recommend testing in a sandbox. This procedure takes you through setting up your Sandbox for a valid test.
Please note, you should also test any other application installed that you might have that has publicly accessible forms.
For more information on the Salesforce security improvements, see:
These updates are ONLY available with our Modern form. We will not be supporting our Classic checkout form from 1st of March 2020. To enable Modern form select "Modern" from the picklist field "Default Payment Form" that is on the Merchant Facility.
If you have the ability to create a Full or Partial Sandbox, then that would be ideal, but not fully necessary.
If creating a partial sandbox, then it would pay to include sample data from Accounts, Contacts, Merchant Facility, Payment Form, Payment Options and if using memberships then Account Subscriptions, and Subscriptions.
If creating a full or partial sandbox, please review FAQ - Sandbox - in particular bullet point 3 regarding the Salesforce Org Id.
For more information on creating Sandboxes, please consult Salesforce online help, or contact Salesforce Support.
In setup, perform a quick find for "Critical Updates" and click on the "Critical Updates" result.
Review and Activate all Critical Updates. This includes any that may not be shown in the screenshot below.
After reviewing, we suggest enabling all Critical Updates if you do not see any particular issue (advise on which ones to install is not covered by our support - contact Salesforce support for more information if needed).
Our reason for applying these now is if there is an impact, then you can disable, correct and then at a later date re-apply. If you wait for the auto activation date, there might not be a chance to undo and retry later. As always, testing in a Sandbox is recommended.
In setup, perform a quick find for "Security Updates" and click on the "Security Updates" result. NOTE: Some instances might show this as "Security Alerts" instead of "Security Updates"
For all sections, click on the "Get Started" button and work your way though the checklists. Make sure you complete the final checklist.
In setup, perform a quick find for "Sharing Settings" and click on the "Sharing Settings" result.
Then click the Edit Button.
Scroll down the page to "Other Settings" section and select "Secure guest user record access".
The other checkboxes have no impact on this particular update and do not matter from this updates perspective if they are ticked or not ticked. Please work with Salesforce or your Salesforce consultant should you require further info on those details.
Install the latest version of Payments2Us from the AppExchange.
Please ensure you follow the Post Install Steps for the 7.6 release.
Payments2Us regularly brings out the latest release, therefore updating to the latest release available is recommended. For the Salesforce security update, you will need to have version 7.6 or later. If you are unsure which release you are currently on, then go to setup - Search "Installed Packages" and click into "Installed Package" search results. You can see the version number there for your install of Payments2Us.
On ALL Merchant Facilities, ensure the "Payment Gateway Options" has "Enforce New Public Sites Security" option selected.
See procedure: How to setup Sites Sharing Settings
See procedure: How to authorise Payments2Us for public websites
The upgraded security enhancements ONLY work with the modern form.
Set the Default Payment Form on the Merchant Facility to "Modern".
If this field does not exist on the page, then edit the page layout and add the field to the page.
If this field does not have any values in it, the go to setup > Objects and fields > Merchant Facility. Click on Record Types, click into the Payment one. Click edit next to "Default Payment Form" and add all picklist values.
You may need to update the URLs used on your website or wherever else you have Payments2Us forms.
You need to ensure these are using the modern version. I.e. if the URL contains ....secure.force.com/aakpay__checkout?.... Then make sure the word checkout has "M" at the end of the word checkout, e.g. ...secure.force.com/aakpay__checkoutM?...
We would recommend that you test all your normal business processes.
As a minimum, perform an online test of your checkout form. If you are using any of the following modules then we recommend testing those online forms too:
- Checkout Form
- Peer-to-Peer Registration
- PayPal or PayPal Recurring
If you are using other Apps from Salesforce that have external forms, then we recommend also testing these. For example the NFP Volunteers for Salesforce Apps. Should you have any issues with those Apps, please contact them for assistance.
Repeat all of the steps above that were performed in Sandbox in your production instance.
- On the Merchant Facility (Primary / Active one). Stop/Start the Batch Processor
- Make sure the 7.6 Release upgrade post install steps were completed.
- Review Checkout Form FAQ
- The "Secure guest user record access" checkbox is not visible on the "Sharing Settings" screen. If you have applied all of the Security Alerts/Updates and this still does not appear, then log a case with Salesforce Support. They can enable a permission from the backend "Grant read-only access to guest users, using sharing rules". Apparently, it can only be done from the backend and by their higher support.
- When I go to authenticate the App, it is showing the domain from a different Salesforce instance.
If you are a consultant and logging in/out of multiple Salesforce instances, then this may occur. The session has been cached from a prior login. First, try closing down your browser, or using a different browser. Should that not work, then drag the field "Instance URL" onto the Merchant Facility Page Layout. Then edit/remove any values in here and try again.
If the above does not work, or if this is causing issues with other packages installed, then please see the procedure: How do I remove the March 2020 security updates procedure as an interim solution until you are able to resolve the issues.