View Full Version : storing credit card information

07-02-08, 01:01 PM
My first question is... does the PCI require retail stores store
credit card numbers? <http://www.darkreading.com/document.asp?
doc_id=135602> suggests that they are. If so, what does the PCI say
about storing them encrypted vs. storing them unencrypted?

I can see virtue to both, actually.

If you store credit card numbers encrypted or hashed, it's a lot
harder for the database administrator to get ahold of every customers
credit card.

The problem with with encryption / hashing is that... say a customer
wanted to search for invoices by their credit card number. If the
credit cards were stored unencrypted, a customer could give just the
last four digits of the credit card number out and with them, a search
could be made. Just do something like...

SELECT * FROM invoices WHERE credit_card_num LIKE '%xxxx';

The point-of-sale system could do that, via SSL/TLS, and get the
invoices without ever disclosing the full credit card number to the
phone receptionist or cashier or whomever (although I imagine a
cashier would probably be swiping the physical card in some sort of
magnetic strip reader).

If credit card numbers, in contrast, were stored encrypted or hashed,
that probably wouldn't work. If you were using a block cipher with a
block size of 4 and were in ECB mode, you could do the search (just
encrypt the last four digits with the key and plug the result into the
LIKE query), but if the block size wasn't 4 or if you were in CBC
mode... at that point, you'd be out-of-luck.

So it does seem that both techniques have their virtues.

Of course, it seems to me that the virtue of encrypting far outweighs
the virtue of not encrypting. A single database administrator having
access to everything can do a ton more damage than a phone
receptionist who's just been given a single credit card number
(assuming you even have phone receptions).