Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Who's got it? Who's giving it away? How to protect your privacy and steal it from other people. For intellectual privacy, personal privacy, and blackhats alike... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
storing credit card information
Posted by: yawnmoth
Date: July 02, 2008 04:39PM

My first question is... does the PCI require retail stores store credit card numbers? http://www.darkreading.com/document.asp?doc_id=135602 suggests that they are. If so, what does the PCI say about storing them encrypted vs. storing them unencrypted?

I can see virtue to both, actually.

If you store credit card numbers encrypted or hashed, it's a lot harder for the database administrator to get ahold of every customers credit card.

The problem with with encryption / hashing is that... say a customer wanted to search for invoices by their credit card number. If the credit cards were stored unencrypted, a customer could give just the last four digits of the credit card number out and with them, a search could be made. Just do something like...

SELECT * FROM invoices WHERE credit_card_num LIKE '%xxxx';

The point-of-sale system could do that, via SSL/TLS, and get the invoices without ever disclosing the full credit card number to the phone receptionist or cashier or whomever (although I imagine a cashier would probably be swiping the physical card in some sort of magnetic strip reader).

If credit card numbers, in contrast, were stored encrypted or hashed, that probably wouldn't work. If you were using a block cipher with a block size of 4 and were in ECB mode, you could do the search (just encrypt the last four digits with the key and plug the result into the LIKE query), but if the block size wasn't 4 or if you were in CBC mode... at that point, you'd be out-of-luck.

So it does seem that both techniques have their virtues.

Of course, it seems to me that the virtue of encrypting far outweighs the virtue of not encrypting. A single database administrator having access to everything can do a ton more damage than a phone receptionist who's just been given a single credit card number (assuming you even have phone receptions).

Options: ReplyQuote
Re: storing credit card information
Posted by: id
Date: July 02, 2008 05:12PM

break the CC number into two parts, hash them both, tada.

-id

Options: ReplyQuote
Re: storing credit card information
Posted by: id
Date: July 02, 2008 05:14PM

oh, and PCI doesn't force the retailer to store the card data, but most will want to for customer satisfaction, etc. But they DO have to encrypt it.

-id

Options: ReplyQuote
Re: storing credit card information
Posted by: yawnmoth
Date: July 02, 2008 05:51PM

id Wrote:
-------------------------------------------------------
> break the CC number into two parts, hash them
> both, tada.

ie. substring($credit_card_num, 0, -4) for the first part, and substring($credit_card_num, -4) for the last part?

That does seem like a good approach :)

Options: ReplyQuote
Re: storing credit card information
Posted by: Matt Presson
Date: July 02, 2008 08:04PM

If you do not want to store the number I would store the type, last four digits, and the merchant id returned from the completed transaction as that is really all you need to recreate any transaction. In that case, you do not have to worry about storing/encrypting the full credit card number and all the key management nightmare that comes along with that.

Matt

-----------------------------------------------------------------------
(ú=(θ='',[µ=!(Φ=!θ+{})+θ,Θ=Φ[ø=+!θ]+Φ[+θ],ĩ=µ[ø],Ø=µ[º=ø+++ø],Ç=Φ[º+ø],à=ú[Φ[º+º]+Φ[+θ]+Ç+ĩ]][Ø+Ç+Θ])())[ĩ+à('•êí')](Ç+à('Á«)'))

Options: ReplyQuote
Re: storing credit card information
Date: June 18, 2009 10:16AM

Does PCI currently or in the future require that the encryption use a strong cipher? Using say RC4 40-bit opposed to using AES 256-bit can mean the difference of stolen info being secured or not. I do love the hash method though, makes it so the company can't even figure out your card number, but nothing beats not storing anything at all.

Options: ReplyQuote
Re: storing credit card information
Posted by: id
Date: June 18, 2009 07:20PM

Sort of.. it's defined in the glossary:

Quote

Cryptography based on industry-tested and accepted algorithms, along with strong key lengths and proper key-management practices. Cryptography is a method to protect data and includes both encryption (which is reversible) and hashing (which is not reversible, or “one way”). SHA-1 is an example of an industry-tested and accepted hashing algorithm. Examples of industry-tested and accepted standards and algorithms for encryption include AES (128 bits and higher), TDES (minimum double-length keys), RSA (1024 bits and higher), ECC (160 bits and higher), and ElGamal (1024 bits and higher).

-id

Options: ReplyQuote
Re: storing credit card information
Posted by: manola
Date: July 01, 2009 10:50PM

I do love the hash method though, makes it so the company can't even figure out your card number, but nothing beats not storing anything at all.
sonnerie portable gratuite

Options: ReplyQuote


Sorry, only registered users may post in this forum.