[thelist] PCI DSS and encryption

[Bill Moseley]

Just at the kicking-around-ideas stage....

We have a number of applications were we would like to process credit
card payments but also retain enough data to charge the card again
without the user having to re-enter their card and billing data.

So, the plan is to support this in just one or two locked-down
machines -- separate from the application servers.  The app servers
would submit the billing and CC info and receive back a unique id.
Then that unique id could be used for charging (and for subsequent
charges).  Don't want to store any CC info in the applications, of
course.

Now, the CC processing servers must protect (encrypt) PAN and other
data associated data as required by the PCI DSS[1].

I'm wondering how to best manage the key for encrypting (and
decrypting) the credit card data.

Now, every application we run requires a user to log in.  Passwords
are not stored anywhere (passwords are one-way hashed).  So, one idea
was to save the un-encrypted password in the users session when they
log in and pass that to the credit card processing system as the key
to encrypt or decrypt their data for charging their card.

This means if a user ever changes their password the system would need
to tell the credit card processing machine to re-encrypt with the new
key.

Anyone have comments about this, or suggestions how best to
manage the encryption keys?

Thanks,


[1] https://www.pcisecuritystandards.org/tech/index.htm

-- 
Bill Moseley
moseley at hank.org