storing credit card information

Discussion in 'Computer Security' started by yawnmoth, Jul 2, 2008.

  1. yawnmoth

    yawnmoth Guest

    My first question is... does the PCI require retail stores store
    credit card numbers? <http://www.darkreading.com/document.asp?
    doc_id=135602> suggests that they are. If so, what does the PCI say
    about storing them encrypted vs. storing them unencrypted?

    I can see virtue to both, actually.

    If you store credit card numbers encrypted or hashed, it's a lot
    harder for the database administrator to get ahold of every customers
    credit card.

    The problem with with encryption / hashing is that... say a customer
    wanted to search for invoices by their credit card number. If the
    credit cards were stored unencrypted, a customer could give just the
    last four digits of the credit card number out and with them, a search
    could be made. Just do something like...

    SELECT * FROM invoices WHERE credit_card_num LIKE '%xxxx';

    The point-of-sale system could do that, via SSL/TLS, and get the
    invoices without ever disclosing the full credit card number to the
    phone receptionist or cashier or whomever (although I imagine a
    cashier would probably be swiping the physical card in some sort of
    magnetic strip reader).

    If credit card numbers, in contrast, were stored encrypted or hashed,
    that probably wouldn't work. If you were using a block cipher with a
    block size of 4 and were in ECB mode, you could do the search (just
    encrypt the last four digits with the key and plug the result into the
    LIKE query), but if the block size wasn't 4 or if you were in CBC
    mode... at that point, you'd be out-of-luck.

    So it does seem that both techniques have their virtues.

    Of course, it seems to me that the virtue of encrypting far outweighs
    the virtue of not encrypting. A single database administrator having
    access to everything can do a ton more damage than a phone
    receptionist who's just been given a single credit card number
    (assuming you even have phone receptions).
     
    yawnmoth, Jul 2, 2008
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Douglas Bailey
    Replies:
    1
    Views:
    718
    robert gray
    Aug 18, 2004
  2. author&producer@prevent_identy_theft.com

    I collect credit card information

    author&producer@prevent_identy_theft.com, Aug 9, 2005, in forum: DVD Video
    Replies:
    3
    Views:
    920
    Dick Sidbury
    Aug 9, 2005
  3. R Green - WoWsat.com

    Re: Credit Card Information

    R Green - WoWsat.com, Aug 30, 2003, in forum: Computer Security
    Replies:
    0
    Views:
    709
    R Green - WoWsat.com
    Aug 30, 2003
  4. Mimic

    Re: Credit Card Information

    Mimic, Aug 30, 2003, in forum: Computer Security
    Replies:
    0
    Views:
    491
    Mimic
    Aug 30, 2003
  5. twfsa

    Deleteing credit card information

    twfsa, Feb 16, 2005, in forum: Computer Information
    Replies:
    1
    Views:
    367
    Apollo
    Feb 16, 2005
Loading...

Share This Page