[WEB SECURITY] PCI DSS Level 1 - Guidelines for Storing Credit Card Details?

Gautam gautam.edu at gmail.com
Mon Feb 7 12:25:24 EST 2011

In my view you should hash it, unless you want to retrieve the plain text
number hashes would do it for you. if you do want to do
encryption/decryption then you need you need infrastructure to store your
keys securely (something that is dedicated for this task). I have seen some
good implementation using SafeNet products for this, i am not their sales
guys and hence you can do your own research on this for plus and minus.

Changing your keys regularly and securely and still able to encrypt and
decrypt your old data would be a good option. I have also seen and attended
discussion where payment organizations are moving towards using ECC for
encryption/decryption so you can see if it fits your requirement.

Let me know what you get, I would also like to learn from your experience.


On Sun, Feb 6, 2011 at 10:13 PM, Ed Bordin <edbordin at gmail.com> wrote:

> We have a web application running on Amazon AWS, which has recently
> been upgraded to PCI DSS Level 1 compliance. We want to take advantage
> of this and store credit card numbers on our host, but I'm having
> trouble finding any guidelines on best practices. In particular, what
> kind of encryption to use when storing the cards in the db, and what
> measures to take to keep the encryption key safe. Can anyone help?
> _______________________________________________
> The Web Security Mailing List
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> http://twitter.com/wascupdates
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110207/6bea4a16/attachment-0003.html>

More information about the websecurity mailing list