5

According to PCI-DSS 3.4 Requirement:

Render PAN unreadable anywhere it is stored by using the below methods:

  1. One-way hash
  2. Truncation
  3. Index tokens and pads
  4. Strong cryptography with associated key-management processes and procedures

My question based on above requirement is:

  1. So if need to encrypt the credit card details which one would be a better process?

  2. If we are going to encrypt credit card number for storage, then we should have Data Encryption Key(DEK) for encrypting the credit card number. So do we need to generate unique encryption key for encrypting each credit card number? or To generate unique encryption key for each user(each user may have two or more CC)? or To generate a single encryption key for encrypting all the credit card numbers?

  3. Also provide any links regarding one time pads or please explain about it?

Adi
  • 43,808
  • 16
  • 135
  • 167
RajeshKannan
  • 585
  • 2
  • 7
  • 12

1 Answers1

4

  1. The first two options (one-way hash, truncation) don't leave you with a working number, so if you expect to use the card again in the future these won't work for you. At the other end of the spectrum, strong cryptography will give you that ability, but it's harder, and involves setting up processes (such as key rotation and management).

  2. Because of the key rotation requirements, solutions are usually geared around use of one key throughout its cryptoperiod, rather than pairing keys with users or cards.

    You would generally use one DEK (call it DK1) for encryption of multiple cards, for the duration of the DEK's OUP (Originator Usage Period). Let's say the OUP is 3 months. After 3 months, you would generate a new DEK (DK2), and all new card encryptions will start using that number instead. However, for all those cards you encrypted in the first three months, you may need to decrypt them, right? So DK1 may continue to be used for decryption of those existing encrypted cards throughout its RUP (Recipient Usage Period) which is longer (let's say 12 months).

    So at any given time, you'll have at least one DEK in use as an OUP and an RUP, and 3 other DEKs used solely as RUPs. And as the oldest DEK nears the end of it's RUP, you need to re-encrypt all its cards with a newer DEK.

    That's what PCI means by "with associated key-management processes and procedures". The terminology above is from NIST 800-57, which PCI cites as an example of the sort of key management guidelines they look for in DSS 3.6.4.

    You should also be protecting this stable of DEKs with a KEK (Key Encrypting Key).

  3. Nope. <OPINION>One-time pads are not a realistic solution; while cryptographically secure, they're not manageable on any usable scale. Imagine what I said for #2, but with one DEK per card!</OPINION>

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • so do we need to use One DEK per card as in #3 or One DEK for multiple cards as in #2 – RajeshKannan Jan 23 '14 at 07:15
  • You want one DEK per multiple cards as per #2. #3 doesn't talk about DEKs, it talks about One-Time Pads. You can't reuse One-Time Pads or it destroys their security, which is is why I'm saying if you did go with a OTP solution you'd need one per card. – gowenfawr Jan 23 '14 at 13:59