[thelist] PCI DSS and encryption

Bill Moseley moseley at hank.org
Wed Sep 12 16:25:04 CDT 2007


Meeting on this tomorrow, so trying to get a little feedback.

Anyone storing credit card numbers?  Comments about encryption
implementations?

Thanks,

On Tue, Sep 11, 2007 at 10:49:39AM -0700, Bill Moseley wrote:
> Just at the kicking-around-ideas stage....
> 
> We have a number of applications were we would like to process credit
> card payments but also retain enough data to charge the card again
> without the user having to re-enter their card and billing data.
> 
> So, the plan is to support this in just one or two locked-down
> machines -- separate from the application servers.  The app servers
> would submit the billing and CC info and receive back a unique id.
> Then that unique id could be used for charging (and for subsequent
> charges).  Don't want to store any CC info in the applications, of
> course.
> 
> Now, the CC processing servers must protect (encrypt) PAN and other
> data associated data as required by the PCI DSS[1].
> 
> I'm wondering how to best manage the key for encrypting (and
> decrypting) the credit card data.
> 
> Now, every application we run requires a user to log in.  Passwords
> are not stored anywhere (passwords are one-way hashed).  So, one idea
> was to save the un-encrypted password in the users session when they
> log in and pass that to the credit card processing system as the key
> to encrypt or decrypt their data for charging their card.
> 
> This means if a user ever changes their password the system would need
> to tell the credit card processing machine to re-encrypt with the new
> key.
> 
> Anyone have comments about this, or suggestions how best to
> manage the encryption keys?
> 
> Thanks,
> 
> 
> [1] https://www.pcisecuritystandards.org/tech/index.htm
> 
> -- 
> Bill Moseley
> moseley at hank.org
> 
> -- 
> 
> * * Please support the community that supports you.  * *
> http://evolt.org/help_support_evolt/
> 
> For unsubscribe and other options, including the Tip Harvester 
> and archives of thelist go to: http://lists.evolt.org 
> Workers of the Web, evolt ! 
> 

-- 
Bill Moseley
moseley at hank.org




More information about the thelist mailing list