tags:

views:

239

answers:

3
+3  Q: 

Credit Card storage solution

Hi Everyone,

I'm developing a solution that is designed to store membership details, as well as credit card details. I'm trying to comply with PCI DSS as much as I can. Here is my design so far:

PAN = Primary account number == long number on credit card

  • Server A is a remote server. It stores all membership details (Names, Address etc..) and provides indivudal Key A's for each PAN stored
  • Server B is a local server, and actually holds the encrypted PANs, as well as Key B, and does the decryption.

To get a PAN, the client has to authenticate with BOTH servers, ask Server A for the respective Key A, then give Key A to server B, which will return the PAN to the client (provided authentication was sucessful). Server A will only ever encrypt Key A with Server B's public Key, as it will have it beforehand. Server B will probably have to send a salt first though, however I doin't think that has to be encrypted

I havn't really thought about any implementation (i.e. coding) specifics yet regarding the above, however the solution is using Java's Cajo framework (wrapper for RMI) so that is how the servers will communicate with each other (Currently, membership details are transfered in this way).

The reason why I want Server B to do the decryption, and not the client, is that I am afraid of decryption keys going into the client's RAM, even though it's probably just as bad on the server...

Can anyone see anything wrong with the above design? It doesn't matter if the above has to be changed.

Thanks

jtnire

+1  A: 

If Server A is hacked - this meansI baically can still get all credit cards in clear text, or? I have access then to all individual KEY a information that i need to access every credit card.

TomTom  2010-03-24 11:04:29
Sorry, I forgot to mention, that the decryption key is a combination of Key A + Key B.
jtnire  2010-03-24 11:21:32
A: 

You might be interested in reading the Bytemark Blog entry on how they store credit card information. Unfortunately, there's no direct link.

The post is on page two at the moment, search for "Proper credit card processing on the cheap".

The gist is that the server holding the card information will not divulge the numbers; the allowed operations are "Add new card", "Update or remove existing card" and "Charge a card" -- the server connects to the payment processor itself.

Andrew Aylett  2010-03-24 11:23:42
There is no payment processing or transactions involved
jtnire  2010-03-24 11:26:28
I'm sure there must be somewhere (even if not in this system), otherwise why are you storing credit card details?
Andrew Aylett  2010-03-24 11:46:59
You are correct, not in this system. The numbers get manually entered into a dial up credit card machine
jtnire  2010-03-24 11:49:48
+3  A: 

As a preface, you're going to have a nightmare of a time developing this and going through PCI compliance. It would definately be worth considering alternatives, such as using a Payment Service Provider that can store these card details for you, and perform ad-hoc authorisation/settlement using Token Ids (rather than keying them in through a 'dialup credit card machine' that you described)

If you chose to ignore that advice and go the PCI route, then at least make sure to get a PCI approved Qualified Security Assesor (QSA) involved as early as possible, to approve of whatever designs you come up with. PCI isnt something you should 'try to comply with as much as you can', its an all or nothing thing unfortunately!

That said though, one way to tackle this would be to have a key serving application running on box A. This application requires entry of two 'key administration' keys, which when xor'd together form a Master Key. Master Key is only ever stored in RAM, never persisted to disk.

The application generates Key Encrypting Keys, which are stored on box A, encrypted by the Master Key. The KEK is generated automatically (its not something that a user keys in). The KEK can be persisted to disk on box A, encrypted by the Master Key.

Card details are stored on box B. This box also stores the Data Encryption Key, which is used to perform symmetric encryption of the card details. The DEK is itself stored in an encrypted format, encrypted with the Key Encrypting Key from box A.

The application that performs encryption/decryption should be on box B, and authenticate itself to box A before requesting the KEK. The KEK is then used to decrypt the DEK, and encryption/decryption can then take place.

PaulG  2010-03-24 13:04:53
Thanks for the advice. Unfourtunately, getting a 3rd payment provider isn't an option in this case. That's a good way to go about it. Is there any way to avoid box B communicating directly with box A? Like could this "authentication" could through the client? Reason being is that I have additional controls in place that would prevent box B accessing any machines not on the network.
jtnire  2010-03-24 13:14:29
Oh and once both administartors have entered their keys into box A, that machine can run without any intervention, right? (Until the next reboot of course)
jtnire  2010-03-24 13:17:11
And I'm guessing the DEKs are made automatically by box B, for each record stored? Also, is there anything wrong with my plan above? I'm not saying mine is correct (I don't know), but where does the fault lie? Thanks
jtnire  2010-03-24 13:20:21
BTW, I think Box A, as you have described above, is exactly what StrongKey does, so maybe I could use that??
jtnire  2010-03-24 13:22:00
Key management is (as you see from the flood of questions!) a massively complicated subject. http://stackoverflow.com/questions/1583553/how-to-properly-do-private-key-management has some reference material, but the best advice I already gave - get a QSA involved asap. They will help, and ultimately its their advice you need to follow
PaulG  2010-03-24 13:41:15
jtnire  2010-03-24 14:07:14
Im familiar with Strongkey, and its pretty well respected. Bonus is that it has a Java client library. Check with your QSA for a final verdict though.
PaulG  2010-03-24 14:39:56
How does Strongkey work, compared to your description of "Box A"? I can't seem to find anywhere one their site that tells me this. Their "How StrongKey Works page" doesn't really talk about how keys are managed
jtnire  2010-03-24 15:52:52
PaulG  2010-03-24 17:04:54

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java