[thelist] PCI DSS and encryption
Bill Moseley
moseley at hank.org
Wed Sep 12 16:25:04 CDT 2007
Meeting on this tomorrow, so trying to get a little feedback.
Anyone storing credit card numbers? Comments about encryption
implementations?
Thanks,
On Tue, Sep 11, 2007 at 10:49:39AM -0700, Bill Moseley wrote:
> Just at the kicking-around-ideas stage....
>
> We have a number of applications were we would like to process credit
> card payments but also retain enough data to charge the card again
> without the user having to re-enter their card and billing data.
>
> So, the plan is to support this in just one or two locked-down
> machines -- separate from the application servers. The app servers
> would submit the billing and CC info and receive back a unique id.
> Then that unique id could be used for charging (and for subsequent
> charges). Don't want to store any CC info in the applications, of
> course.
>
> Now, the CC processing servers must protect (encrypt) PAN and other
> data associated data as required by the PCI DSS[1].
>
> I'm wondering how to best manage the key for encrypting (and
> decrypting) the credit card data.
>
> Now, every application we run requires a user to log in. Passwords
> are not stored anywhere (passwords are one-way hashed). So, one idea
> was to save the un-encrypted password in the users session when they
> log in and pass that to the credit card processing system as the key
> to encrypt or decrypt their data for charging their card.
>
> This means if a user ever changes their password the system would need
> to tell the credit card processing machine to re-encrypt with the new
> key.
>
> Anyone have comments about this, or suggestions how best to
> manage the encryption keys?
>
> Thanks,
>
>
> [1] https://www.pcisecuritystandards.org/tech/index.htm
>
> --
> Bill Moseley
> moseley at hank.org
>
> --
>
> * * Please support the community that supports you. * *
> http://evolt.org/help_support_evolt/
>
> For unsubscribe and other options, including the Tip Harvester
> and archives of thelist go to: http://lists.evolt.org
> Workers of the Web, evolt !
>
--
Bill Moseley
moseley at hank.org
More information about the thelist
mailing list