Encryption of Credit Card files

Discussion in 'Security Software' started by The Poster, Jan 16, 2006.

  1. The Poster

    The Poster Guest

    G/Day Forum,

    We are working on complying with the Visa/MAsterCard Payment Card Industry
    Data Security Standard (PCI DSS). As part of this we need to imply the
    following controls on the storage of credit card data:

    to encrypt data at a folder level - that is all of the containing folders
    and files
    to allow for split knowledge of encryption keys and management thereof
    to allow for strong encryption support (algorithms like 3DES, AES, etc)
    a mechanism for automating the encryption process on a daily basis - this is
    coincide with a backup cycle (no clear text credit card files get backed up
    onto tape)

    We are looking for a File/Folder encryption solution for a Windows 2000
    based file server (member of a Windows 2000 Domain) and a Windows 2003 based
    FTP Server (Standalone system), that will be used for storing Credit Card
    information.

    Your thoughts on any products that suit my requirements?

    Regards,

    Steve.
     
    The Poster, Jan 16, 2006
    #1
    1. Advertisements

  2. I don't follow. Do you mean so that no single person can decrypt the credit
    card information alone? Is that part of the PCI DSS requirements?
    Why would you not always encrypt the credit card numbers immediately instead
    of on a schedule? I would think this would be highly preferable.
    Windows EFS will do this. Make sure however that you 1) configure EFS
    securely according to best practices and 2) you MUST back up your encryption
    keys. You can meet the requirement if necessary of no single person being
    able to decrypt by encrypting using an account where two people each know
    half of the password. If you want other combinations of people to be able
    to decrypt the data, you could encrypt the data in different ways using
    different accounts where different people share the password. PGP, GPG and
    www.jetico.com are some other popular low-cost encryption programs that work
    similarly and may or may not meet your needs.

    Or you could have a developer program a custom solution that handles the
    data encryption / decryption and has a front-end that manages user
    authentication to see the decrypted data.
     
    Karl Levinson, mvp, Jan 16, 2006
    #2
    1. Advertisements

  3. You plan on storing this in files ? as opposed to in database ? and,
    more surprising to me, on a machine that has FTP active ?? !?

    Your interpretation of the guidance does not sound right when you say
    I thought it says never stored (anywhere) in the clear
     
    Roger Abell [MVP], Jan 16, 2006
    #3
  4. The Poster

    Ed Guest

    I'll echo Roger's comments. Aside from asking for product advice, it maybe
    worthwhile to review your architecture/goals.

    Storing credit card information implies that it will be retrieved for future
    use. Aside from normal retail operations like allowing customers to "save"
    payment information for a quicker checkout process on a subsequent sale,
    either by themselves online, or via telephone with a rep, the only other
    probable use is for some data mining - but I don't think you need the entire
    number to run reports based on credit cards.

    On a large scale, say you have multiple "local" locations that run their own
    localized sales/ops and then "batch" data into a central location (my guess
    for your FTP need), the question still remains, what is the purpose for
    including credit card information in such a batching process? I'll assume
    this is just to allow the scenario I mentioned - allowing customers
    easier/faster experience on a subsequent sale, they may have bought an item
    from Store A in CA, but can still have the same ease if they ordered through
    your web site or call center in NY or anywhere. In this case, the question
    which Roger already asked is, why FTP instead of a synchronized database? If
    you are at this scale of operations, then it would only be fitting to have
    the proper architecture for it.
     
    Ed, Jan 16, 2006
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.