Dave, You win my weekly erudition award :)
-Mark Mark A. Kruger, MCSE, CFG (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -----Original Message----- From: Dave Watts [mailto:[email protected]] Sent: Thursday, February 18, 2010 6:41 PM To: cf-talk Subject: Re: Where to encrypt - cf or db or both? > Yes Maureen - I know this. What "we" are asking is - What if the customer > DOESN'T WANT TO USE THOSE - What if they want you to store the credit card > anyway... regardless of compliance. (Compliance isn't law...) What if that > is your option? > > What then? How "should you do it"? Sometimes the best answer to "how should you do it" is "you shouldn't do it". So you should expect to get that a lot, when asking a question like this. Is your customer going to hold you blameless when bad things happen? Or are they going to try to share the legal responsibility with you? >From the perspective of you, the consultant, the answers to these questions are much more important than the technical details of encryption algorithms, which really don't matter all that much. That is, if you choose an acceptable implementation of an industry-standard encryption algorithm, you've met your due diligence requirements and you can be very confident that no one is going to access that data by breaking the encryption. But if you get sued out of existence by your client for not preventing the client from doing what you recommended they didn't do - and if you think this doesn't happen I can confirm otherwise - well, you're done. > Matt's original question wasn't what are other methods - but what is the > best choice for encrypting the data. (And what is required for compliance.) > And I would like to know as well... (Minus the compliance part... That data > is here: https://www.pcisecuritystandards.org And here: > http://www.innovativemerchant.com/pdf/pci_dss_summary.pdf ) Again, though, the specific encryption mechanisms don't matter that much. From a technical perspective, what really matters is (a) did you use an acceptable implementation of an industry-standard algorithm, and (b) did you manage key access responsibly? The strength of the encryption doesn't matter if your specific implementation has, say, a predictable key-generation pattern, or if the keys could be snarfed from your server by some other exploit. > To me, recommending a service is like answering the question "How do you > hammer a nail?" with the answer being "Hire a contractor." That illustrates the problem with analogies. They lose their descriptive power very quickly. The cost of hammering a nail poorly is very small. You're not likely to get sued for hammering a nail poorly. A better analogy, in my opinion, would be answering the question "how do you win a court case" with "hire a lawyer". You may be the smartest guy around, but that doesn't give you any special preparation for representing yourself in court, and you're then responsible for your own mistakes when you're not prepared to be. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:330921 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
