Key management for PCI DSS compliance
I have a client I'm helping with their PCI compliance effort. One question I have is where to store the key that encrypts account numbers, etc. Right now, it's in one location in their CF code. Is there a better practice? I understand that storing it in the same database that contains the encrypted data is a no-no (seems sensible). The cost of an external HSM box just for key management seems prohibitive. Is there an easier way that others here have used? Thanks, Dave ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336254 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Key management for PCI DSS compliance
http://www.braintreepaymentsolutions.com/services/pci-compliance On Fri, Aug 13, 2010 at 9:52 AM, Dave Burns cft...@burnsorama.com wrote: I have a client I'm helping with their PCI compliance effort. One question I have is where to store the key that encrypts account numbers, etc. Right now, it's in one location in their CF code. Is there a better practice? I understand that storing it in the same database that contains the encrypted data is a no-no (seems sensible). The cost of an external HSM box just for key management seems prohibitive. Is there an easier way that others here have used? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336255 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Key management for PCI DSS compliance
Storing the key in the same db is ok, if you also encrypt the key. You might use a combination of the app name and the timestamp of the key record as the key to unencrypt the key (wow that's confusing). Steve Cutter Blades Adobe Community Professional - ColdFusion Adobe Certified Professional Advanced Macromedia ColdFusion MX 7 Developer Co-Author of Learning Ext JS http://www.packtpub.com/learning-ext-js/book _ http://blog.cutterscrossing.com On 8/13/2010 8:52 AM, Dave Burns wrote: I have a client I'm helping with their PCI compliance effort. One question I have is where to store the key that encrypts account numbers, etc. Right now, it's in one location in their CF code. Is there a better practice? I understand that storing it in the same database that contains the encrypted data is a no-no (seems sensible). The cost of an external HSM box just for key management seems prohibitive. Is there an easier way that others here have used? Thanks, Dave ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336256 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm