Mark Carroll
9/5/2014 7:26:00 AM
Robert Wessel <robertwessel2@yahoo.com> writes:
> On Thu, 4 Sep 2014 22:05:06 -0700 (PDT), b <mike7411@gmail.com> wrote:
>
>>What is the best way to store credit card data locally in an app?
>>
>>You will almost certainly want to use some type of encryption, but in the most obvious way you will have the key stored in the program. This seems like a locked house where the key is right next to the door - not very secure.
(snip)
> Best answer is *don't*, unless you absolutely have to. And if you
> have to, follow the PCI DSS standards and advice.
(snip)
Good suggestion. I worked on a project that achieved PCI compliance.
In that particular instance, the encryption key is not stored in the
program itself. Into the running program multiple users, authenticated
by their own cryptographic keys, each enter their own "part" of the
encryption key for the credit card data, and the software then combines
them and holds it in RAM only while it is actually running; also, if it
is suspected that some part of the key might have been revealed, it is
easy to generate a new key whose parts are distributed to those users,
and a re-encryption of the whole database then proceeds. (The users
interact with the program via a web interface so OWASP recommendations,
etc., were also important.)
-- Mark