Re: FN-FORUM: Storing credit cards

date posted 30th May 2006 11:26

On 30 May 2006 08:28:28 -0000, Andy Creed [EMAIL REMOVED] wrote:
>
> I am sure this subject has been covered before but I want to get advice on
> storing credit cards in a site database rather than using a payment
> processor.
>
> I know this should avoided for obvious reasons. However the client wants to
> pursue this line of thinking? So if we can discount the fact it is a bad
> idea - what is the best way it can be done.
>
> As symmetrical encryption methods will need to be used what is the best one
> to use and what other methods should be employed to ensure (as much as
> possible) that data will be kept secure?

If you have to store card details you should be using AES with 256 bit
key size and 128 bit block size preferably in CTR mode, certainly not
ECB mode.

The information you have to keep secure is not confined to the actual
card number - you should also be encrypting expiry dates, issue
numbers and cardholder details.

The encryption keys shouldn't be stored on disk and precautions should
be taken to prevent them being swapped out to disk. They should never,
ever be on an external facing host.

It's a real pain to do properly and unless it *is* done properly then
your client will be violating his merchant agreement. At the moment
the PCI is coming after PSPs for DSS compliance but after this year,
they should be ready to move on enforcing it with the merchants.

-robin