storing credit card information



My first question is... does the PCI require retail stores store
credit card numbers? <http://www.darkreading.com/document.asp?
doc_id=135602> suggests that they are. If so, what does the PCI say
about storing them encrypted vs. storing them unencrypted?

I can see virtue to both, actually.

If you store credit card numbers encrypted or hashed, it's a lot
harder for the database administrator to get ahold of every customers
credit card.

The problem with with encryption / hashing is that... say a customer
wanted to search for invoices by their credit card number. If the
credit cards were stored unencrypted, a customer could give just the
last four digits of the credit card number out and with them, a search
could be made. Just do something like...

SELECT * FROM invoices WHERE credit_card_num LIKE '%xxxx';

The point-of-sale system could do that, via SSL/TLS, and get the
invoices without ever disclosing the full credit card number to the
phone receptionist or cashier or whomever (although I imagine a
cashier would probably be swiping the physical card in some sort of
magnetic strip reader).

If credit card numbers, in contrast, were stored encrypted or hashed,
that probably wouldn't work. If you were using a block cipher with a
block size of 4 and were in ECB mode, you could do the search (just
encrypt the last four digits with the key and plug the result into the
LIKE query), but if the block size wasn't 4 or if you were in CBC
mode... at that point, you'd be out-of-luck.

So it does seem that both techniques have their virtues.

Of course, it seems to me that the virtue of encrypting far outweighs
the virtue of not encrypting. A single database administrator having
access to everything can do a ton more damage than a phone
receptionist who's just been given a single credit card number
(assuming you even have phone receptions).
.



Relevant Pages

  • Re: Hash of item as IV for CBC mode?
    ... Why are you encrypting a serial number that increments? ... purchases and manual purchases without having to re-enter a credit card. ... When a card is first used, it would be encrypted, and the ciphertext ... A hash of the credit card number, ...
    (sci.crypt)
  • Re: New law in Massachusetts require encryption of data
    ... implications of this law. ... already be encrypting that data. ... If you store SSN, credit card, or bank account ...
    (comp.databases.pick)
  • Re: tender number search
    ... We are in the process of encrypting one field within our ... a payment by credit card number. ... is your database on a public server? ... Have you considered using column level security available with SQL? ...
    (comp.sys.ibm.as400.misc)
  • Re: getting private key from client certificate?
    ... You are thinking of encrypting the customer's credit card using elements of ... the customer's client certificate such that only the customer (who has the ... private key) can decrypt their credit card number. ...
    (microsoft.public.inetserver.iis.security)
  • Encryption Scheme Question
    ... I'm working on an e-commerce web site and need to securely store ... credit card numbers in a database. ... I will use a public/private key pair with RSA encryption, ... The public key file will be stored ...
    (microsoft.public.dotnet.framework.aspnet.security)