Encryption of Credit Card files

  • Thread starter Thread starter The Poster
  • Start date Start date
T

The Poster

G/Day Forum,

We are working on complying with the Visa/MAsterCard Payment Card Industry
Data Security Standard (PCI DSS). As part of this we need to imply the
following controls on the storage of credit card data:

to encrypt data at a folder level - that is all of the containing folders
and files
to allow for split knowledge of encryption keys and management thereof
to allow for strong encryption support (algorithms like 3DES, AES, etc)
a mechanism for automating the encryption process on a daily basis - this is
coincide with a backup cycle (no clear text credit card files get backed up
onto tape)

We are looking for a File/Folder encryption solution for a Windows 2000
based file server (member of a Windows 2000 Domain) and a Windows 2003 based
FTP Server (Standalone system), that will be used for storing Credit Card
information.

Your thoughts on any products that suit my requirements?

Regards,

Steve.
 
The Poster said:
G/Day Forum,

We are working on complying with the Visa/MAsterCard Payment Card Industry
Data Security Standard (PCI DSS). As part of this we need to imply the
following controls on the storage of credit card data:

to encrypt data at a folder level - that is all of the containing folders
and files
to allow for split knowledge of encryption keys and management thereof
Click to expand...

I don't follow. Do you mean so that no single person can decrypt the credit
card information alone? Is that part of the PCI DSS requirements?
to allow for strong encryption support (algorithms like 3DES, AES, etc)
a mechanism for automating the encryption process on a daily basis - this is
coincide with a backup cycle (no clear text credit card files get backed up
onto tape)
Click to expand...

Why would you not always encrypt the credit card numbers immediately instead
of on a schedule? I would think this would be highly preferable.
We are looking for a File/Folder encryption solution for a Windows 2000
based file server (member of a Windows 2000 Domain) and a Windows 2003 based
FTP Server (Standalone system), that will be used for storing Credit Card
information.
Click to expand...

Windows EFS will do this. Make sure however that you 1) configure EFS
securely according to best practices and 2) you MUST back up your encryption
keys. You can meet the requirement if necessary of no single person being
able to decrypt by encrypting using an account where two people each know
half of the password. If you want other combinations of people to be able
to decrypt the data, you could encrypt the data in different ways using
different accounts where different people share the password. PGP, GPG and
www.jetico.com are some other popular low-cost encryption programs that work
similarly and may or may not meet your needs.

Or you could have a developer program a custom solution that handles the
data encryption / decryption and has a front-end that manages user
authentication to see the decrypted data.
 
You plan on storing this in files ? as opposed to in database ? and,
more surprising to me, on a machine that has FTP active ?? !?

Your interpretation of the guidance does not sound right when you say
a mechanism for automating the encryption process on a daily basis - this
is
coincide with a backup cycle (no clear text credit card files get backed
up
onto tape)
Click to expand...
I thought it says never stored (anywhere) in the clear
 
I'll echo Roger's comments. Aside from asking for product advice, it maybe
worthwhile to review your architecture/goals.

Storing credit card information implies that it will be retrieved for future
use. Aside from normal retail operations like allowing customers to "save"
payment information for a quicker checkout process on a subsequent sale,
either by themselves online, or via telephone with a rep, the only other
probable use is for some data mining - but I don't think you need the entire
number to run reports based on credit cards.

On a large scale, say you have multiple "local" locations that run their own
localized sales/ops and then "batch" data into a central location (my guess
for your FTP need), the question still remains, what is the purpose for
including credit card information in such a batching process? I'll assume
this is just to allow the scenario I mentioned - allowing customers
easier/faster experience on a subsequent sale, they may have bought an item
from Store A in CA, but can still have the same ease if they ordered through
your web site or call center in NY or anywhere. In this case, the question
which Roger already asked is, why FTP instead of a synchronized database? If
you are at this scale of operations, then it would only be fitting to have
the proper architecture for it.
 
Back
Top