[thelist] PCI DSS and encryption

[Ken Snyder]

Bill Moseley wrote:
> Meeting on this tomorrow, so trying to get a little feedback.
>
> Anyone storing credit card numbers?  Comments about encryption
> implementations?
>   
Hi Bill, my understanding is that credit card encryption is best 
implemented with simple two-way encryption schemes such as Rijndael 256 
(see http://mcrypt.sourceforge.net/).  With this type of scheme, there 
are three parts:

1. Initialization Vector (IV)--a unique and usually random set of 
characters that can be stored together or separately from the encrypted 
data.  For example, you can ensure that all your IVs are 20 characters 
and know that the first 20 characters of the encrypted data is the IV.  
Or you can store it in a separate column connected to the encrypted data.

2. Key--can be the same for all entries, or as you mention, different 
for each entry based on some type of user data such as username and 
password.  (Just be sure to re-encrypt if the user data changes)

3. Salt/Obfuscation--You can also obfuscate the credit card number 
itself before encryption by coming up with some type of scheme.  For 
example, if the credit card number was 12345, maybe you would store 
19239495 where the 2nd, 5th, and 7th characters (here a 9) are a random 
digit.

A hacker would have to get access to items 1, 2, AND 3 in addition to 
any encrypted data before being able to decrypt anything.  #1 Would 
typically be stored in a database, #2 would typically be stored in a 
configuration file and or embedded in the source code, and #3 would be 
embedded in the source code.

Best of luck,

Ken