Forum OpenACS Q&A: Re: Using openssl to encrypt/decrypt strings

Collapse
Posted by Chris Davies on
CISP from Visa has very specific recommendations regarding the storing of credit card data.

Search for November 2002 Operating Guidelines and it should find a PDF that details the requirements you should follow.

Also, if I recall, violation of the statues that they have set forth carries a $50000 USD fine for the first occurrence, a $100000 USD fine for the second occurrence and management can then set the fine level.  Terms are based on a 12 month rolling period.

Mastercard and American express have similar recommendations but Visa is by far the most strict.

Basically, if you store the card number, it must be stored on a machine that cannot be directly hit from the internet, and storing the CVV2 number is also not allowed.  If I recall, the recommendation is for Triple DES if you must store the card data.

You might check your gateway provider, although I don't believe verisign has any one-click capabilities.

As for the password, what older processes used to do was require manual entry when the server process was restarted -- that way it was only in memory.  Storing it anywhere on a filesystem is probably not a good idea.

If you are running linux, you might take a look at some of the SELinux patches with the secure filesystems.

Collapse
Posted by Jerry Asher on
Interesting.  Thanks I'll look for that.  I would prefer not to store them....
Collapse
Posted by Jerry Asher on
Here's the basic information: http://usa.visa.com/business/merchants/cisp_index.html With an interim pdf questionnaire/checklist at http://usa.visa.com/media/business/cisp/ComplianceQuestionnaire.pdf

However, it's actually pretty weak. The fines are stiff, but since I assume they don't want to shut down so many customers, the requirements as suggested or implied in these two docs (the final statement of requirements hasn't been posted) put up a show, but not much more.

The two suggest (but don't seem to require?) that there should be a NAT firewall between the machine and the net, that your machine be kept up to date, and that passwords are stored encrypted, cc info stored encryped that you have various security policies in place and basically that you use SSL for any communication transmitting cc information. It's not clear if telnet or rlogin are allowed (but which ACS user is still accepting them for incoming connections?)

IANAL, but it appears an openssl des3 encryption, ns_openssl, some form of firewall including a SOHO NAT router and a bunch of policies will do the trick.

Who needs the CVV2 (the 3 digits on the back of the card) information? Verisign's payment gateway sure doesn't, so there's no need to store it in the db.

Thanks for pointing this out. I will use des3 and not bf, and I will point the document and the fines along to the client.