[thelist] PCI DSS and encryption
Ken Snyder
kendsnyder at gmail.com
Thu Sep 13 10:06:19 CDT 2007
Bill Moseley wrote:
> Meeting on this tomorrow, so trying to get a little feedback.
>
> Anyone storing credit card numbers? Comments about encryption
> implementations?
>
Hi Bill, my understanding is that credit card encryption is best
implemented with simple two-way encryption schemes such as Rijndael 256
(see http://mcrypt.sourceforge.net/). With this type of scheme, there
are three parts:
1. Initialization Vector (IV)--a unique and usually random set of
characters that can be stored together or separately from the encrypted
data. For example, you can ensure that all your IVs are 20 characters
and know that the first 20 characters of the encrypted data is the IV.
Or you can store it in a separate column connected to the encrypted data.
2. Key--can be the same for all entries, or as you mention, different
for each entry based on some type of user data such as username and
password. (Just be sure to re-encrypt if the user data changes)
3. Salt/Obfuscation--You can also obfuscate the credit card number
itself before encryption by coming up with some type of scheme. For
example, if the credit card number was 12345, maybe you would store
19239495 where the 2nd, 5th, and 7th characters (here a 9) are a random
digit.
A hacker would have to get access to items 1, 2, AND 3 in addition to
any encrypted data before being able to decrypt anything. #1 Would
typically be stored in a database, #2 would typically be stored in a
configuration file and or embedded in the source code, and #3 would be
embedded in the source code.
Best of luck,
Ken
More information about the thelist
mailing list