Posted by dmalhotr2001 on 01/10/07 02:53
I was wondering whether anyone ever dealt with encryption that are visa
compliant with credit card numbers:
On 3.4 of this document
(http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf)
It states the encryption:
One-way hashes (hashed indexes), such as SHA-1
- Truncation
- Index tokens and PADs, with the PADs being securely stored
- Strong cryptography, such as Triple-DES 128-bit or AES 256-bit with
associated key
management processes and procedures
1. One way hashes cannot be decrypted so this won't work
2. Triple DES works however we will need to encrypt SSN. Triple DES
doesn't encrypt 2 values the same way, so we cannot use it as an
index key that we wanted to. The decrypted value comes out the same
however the encrypted values are always different. We can't do table
scans for a SSN look up.
3. Truncation - I have no idea
4. Index token or PAD seems like one way encryption and never can be
decrypted (not sure what this is for if it can't be decrypted)
So how do I get this to work?? It doesn't say RSA is compliant either.
If you think RSA is okay, where does it EXPLICITLY say that on this
document???
:D
[Back to original message]
|