I've been tasked with handling some credit card data storage.
After reading the PCI compliance questionnaire ( including the NIST 800-57)
and some googling ive found few resources that are both (kinda) recent and compliant.
Here are some resources ive found:
http://www.dijksterhuis.org/creating-salted-hash-values-in-c/
http://msdn.microsoft.com/en-us/magazine/cc164054.aspx
Is there a best .NET algorithm for credit card encryption?
My Question:
The basic coding logic for encrypting and decrypting the information seems to boil down to the way Yossi does it here:
http://yossi-yakubov.blogspot.com/2010/07/aes-encryption-using-c-short-way.html
Am i correct ? Any more 'standards compliant' methods ? Any other resources someone can recommend?
Thanks alot
UPDATE
I dont need to transmit the credit card numbers - i need to recieve and encrypt them for storage in the DB.
If this data ever gets transmited it is always done over HTTPS ( so im good in that respect right ? )
Yes i missed this important information when i first posted - but thanks alot for the quick replys, really.
It sounds scary that someone outside of a certified credit card institute tries to save this information, no matter if encrypted or unencrypted (I assume that it's not one-way encrypted).
Does your business case really require that? Does your company really want to take the risk of storing credit card numbers?
I see a lot of answers related to "you shouldn't store credit cards". Remember, a lot of monthly subscription business' require this. You have to develop your own software to do it, or use 3rd party software that does it.
Another example is a retail location having a customer base where the clients setup for monthly auto-withdrawal. This is common in different types of business' where monthly costs occur. E.g., dance lessons for kids.
Related
For my first internship I have to do some awesome stuff with European tachograph readers.
In short: I have to use a smart card reader to read a contacted (not a radio smartcard) ISO 7816 company card to read out the unique identifier of that card. Nothing else. I then have to sent that Identifier together with the answer-to-reset to somewhere else, where it is processed, answered, and then some data talk up and down.
No code is there, I have to build everything including the server somewhere in the future. For now, I focus on the card part. I started from scratch and was asked to use C# for this. I use the PCSC-lite library on Linux and can already communicate with the card. I am able to get the answer-to-reset codes and was able to do some other stuff with the smartcard which is not important for my question. I also read most of the ISO 7816 datasheets. Especially the parts that seemed important to me. My code reads back the responses and checks what sw1 and sw2 is. So I can read debug info. So I would like to think that I've at least got some basics covered...
I'm the only one in the company who can do this stuff.. Or should be able to do this. And I'm down on my last breath.
Could somebody, who has any experience in the field. Please explain in simple terms to me:
1. How the memory on such a card is build up
2. How to acces the memory
3. Which APDUs and in which order to send them to get the unique card identifier (or point me in the direction to where I can find a memory map or something)
For question one I specifically mean: I know the data structure seems to work with EF's which i need to "select" and than try to extract data using the correct apdu's. But I don't really understand how it works or how the memory structure is build. I've read the ISO files, but they are a bit difficult for me. Maybe if I get some help, I understand them better.
For question two I specifically mean: Under normal circumstances, what Apdu's and in what order should I send them, to access a piece of memory.
I already read a lot on stack overflow on the subject but couldn't find an answer that worked for me.
I will be forever in your debt and you've helped a student if you are so kind to answer my question :)
Oscar
I'm not sure, whether I understand your question (and I work with smart cards for many years). There is no free-floating available memory on a file-system based smart card (as opposed to dumb memory cards like SLE44), you can only access it via files (EFs in that case). While one can in principle create new files, real life cards require specific authentications for that and you are unlikely to have the keys for those.
Which files already exist (and which data is stored in which record/offset/data object) is given in the specification, in your case in one of the specifications to found here. The used specification is essential, because the card itself could support many applications, and tachograph is just one of them. As soon as you know, where the data is, you have to create the corresponding SELECT / READ RECORD / READ BINARY commands.
I am in a bit of a crisis here. I would really appreciate your help on the matter.
My Final Year Project is a "Location Based Product Recommendation Service". Now, due to some communication gap, we got stuck with an extremely difficult algorithm. Here is how it went:
We had done some research about recommendation systems prior to the project defense. We knew there were two approaches, "Collaborative Filtering" and "Content Based Recommendation". We had planned on using whichever technique gave us the best results. So, in essence, we were more focused on the end product than the actual process. The HOD asked us what algorithms OUR product would use? But, my group members thought that he meant what are the algorithms that are used for "Content Based Recommendations". They answered with "Rule Mining, Classification and Clustering". He was astonished that we planned on using all these algorithms for our project. He told us that he would accept our project proposal if we use his algorithm in our project. He gave us his research paper, without any other resources such as data, simulations, samples, etc. The algorithm is named "Context Based Positive and Negative Spatio-Temporal Association Rule Mining" In the paper, this algorithm was used to recommend sites for hydrocarbon taps and mining with extremely accurate results. Now here are a few issues I face:
I am not sure how or IF this algorithm fits in our project scenario
I cannot find spatio-temporal data, MarketBaskets, documentation or indeed any helpful resource
I tried asking the HOD for the data he used for the paper, as a reference. He was unable to provide the data to me
I tried coding the algorithm myself, in an incremental fashion, but found I was completely out of my depth. I divided the algo in 3 phases. Positive Spatio-Temporal Association Rule Mining, Negative Spatio-Temporal Association Rule Mining and Context Based Adjustments. Alas! The code I write is not mature enough. I couldn't even generate frequent itemsets properly. I understand the theory quite well, but I am not able to translate it into efficient code.
When the algorithm has been coded, I need to develop a web service. We also need a client website to access the web service. But with the code not even 10% done, I really am panicking. The project submission is in a fortnight.
Our supervisor is an expert in Artificial Intelligence, but he cannot guide us in the algorithm development. He dictates the importance of reuse and utilizing open-source resources. But, I am unable to find anything of actual use.
My group members are waiting on me to deliver the algorithm, so they can deploy it as a web service. There are other adjustments than need to be done, but with the algorithm not available, there is nothing we can do.
I have found a data set of Market Baskets. It's a simple excel file, with about 9000 transactions. There is not spatial or temporal data in it and I fear adding artificial data would compromise the integrity of the data.
I would appreciate if somebody could guide me. I guess the best approach would be to use an open-source API to partially implement the algorithm and then build the service and client application. We need to demonstrate something on 17th of June. I am really looking forward to your help, guidance and constructive criticism. Some solutions that I have considered are:
Use "User Clustering" as a "Collaborate Filtering" technique. Then
recommend the products from similar users via an alternative "Rule
Mining" algorithm. I need all these algorithms to be openly available
either as source code or an API, if I have any chance of making this
project on time.
Drop the algorithm altogether and make a project that actually works
as we intended, using available resources. I am 60% certain that we
would fail or marked extremely low.
Pay a software house to develop the algorithm for us and then
over-fit it into our project. I am not inclined to do this because it
would be unethical to do this.
As you can clearly see, my situation is quite dire. I really do need extensive help and guidance if I am to complete this project properly, in time. The project needs to be completely deployed and operational. I really am in a loop here
"Collaborative Filtering", "Content Based Recommendation", "Rule Mining, Classification and Clustering"
None of these are algorithms. They are tasks or subtasks, for each of which several algorithms exist.
I think you had a bad start already by not really knowing well enough what you proposed... but granted, the advice from your advisor was also not at all helpful.
I have a large subset of encrypted word documents which i need to process with out knowing the encryption password.
From looking around online, it seems that there are several services which strip the encryption from a file. This is a perfect solution for my needs, but due to security/privacy reasons, i can't send the files to a 3rd party to be decrypted.
Can any one help me with any resources to point me in the right direction for removing encryption from office documents?
Edit For those with concerns on legality. While you have no reason to trust me, this question relates to working with conversion of legacy data into new systems, and is with in legal/moral bounds what the of the owner of the data wants done to it.
First and foremost, i would like to say i am very disappointed with the response i got to my question. Is my questions questionable in morality? Yeah it might be, but i am not asking for anything that isn't already out on the web.
For anyone else who finds themselves in the same predicament, here are some good starting points:
BlackHat-EU-2010-Filiol-Office-Encryption-slides.pdf
Office File Formats
As for my work on this, the linked document doesn't produce a viable solution in my case. We decided to shift our entry point to reading the heap for the specific application.
"while the hospitals hired us for the processing of their data, their IT departments are less then competent to provide us with all the required information on the storage of their data."
If you've got HIPPA privacy concerns with data that keeps you from outsourcing the removal of document protection, you'll need to get past the security with the internal IT resources who, if competent enough to add protection, should be prepared to bypass it.
Is there an API or Web Service that can be used to read AIS data? Most links I read starting at Wikipedia (http://en.wikipedia.org/wiki/Automatic_Identification_System) say that AIS data is freely available but I'm having a hard time finding a provider of the data. A C# example or language agnostic web service would be helpful.
Building a project map for a clients website. Basically a world map based on the google maps api with pin's where they did their projects and if you click on a pin you get additional information about the project.
Most were just static addresses which was ok, but they did 6 project's on luxury yachts. So had the idea to base this marker on the current position of the yacht. Came across this service, they have a nice API for it.
https://www.marinetraffic.com
The down side to this, it's a bit pricey.
Cheapest option, checking daily position of 1 ship -> € 5,- a month.
So this would be € 30,- a month for a relative useless but awesome feature.
Cheaper alternative's are welcome.
I ended up using vesseltracker.com for this project. Unfortunately it's a "call us for a price" service so I'll continue looking for a provider with a flat/reasonable/free rate.
There is a feed from the San Fransisco Bay available for non-commercial use at hd-sf.com:9009.
I have used it to test my Java-based AIS decoder https://github.com/tbsalling/aismessages/wiki.
AIS data is freely available in the sense that you can freely receive it with the proper equipment, just by holding up an antenna in an area with shipping traffic.
Samples of received AIS data popped up quite a bit in my brief Google search, so I assume that your question is about where to get a real-time feed of AIS messages (that someone else is receiving). Whether you'd be able to get this at no cost is questionable; most organizations that would offer this seem to want you to either pay for the service or to share in kind.
There are a few places that offer a free stream, but none of them seem to offer any guarantees on availability in the short or long term.
So the answer to your question is "yes, and you should expect to pay something for it".
I have a business requirement that forces me to store a customer's full credit card details (number, name, expiry date, CVV2) for a short period of time.
Rationale: If a customer calls to order a product and their credit card is declined on the spot you are likely to lose the sale. If you take their details, thank them for the transaction and then find that the card is declined, you can phone them back and they are more likely to find another way of paying for the product. If the credit card is accepted you clear the details from the order.
I cannot change this. The existing system stores the credit card details in clear text, and in the new system I am building to replace this I am clearly not going to replicate this!
My question, then, is how I can securely store a credit card for a short period of time. I obviously want some kind of encryption, but what's the best way to do this?
Environment: C#, WinForms, SQL-Server.
Basically avoid by all means taking the responsiblity to save the CC details on your side, however I can assume you are using a thirdparty service to do your transaction such as PayPal/Verisign or whatever, most of them have API's that enables you to save CC credentials at their side, and they give you back a key that you can then use later to complete or initiate transactions, so they take care of the hard part, while all what you have to do is store this string key in your DB.
I don't believe it's actually illegal to store CVV info (in the sense that it's against any law), but it does violate Payment Card Industry rules, and they could impose any number of different sanctions. So, your requirements could actually result in you not being able to accept credit cards ;-(
Andrew, you need to understand the PCI-DSS, no small task. Personally, I find it extremely vague but here is what I understand.
First off, from the scenario you describe I would attempt to authorize the card for the full amount and then if that failed I would store the customer's information (but not the cardholder data) so someone could contact the user. Where I use to work some of our customers would only charge $1.00 and then void the transaction immediately, just to make sure the card was valid. They would then process all orders manually.
Where you will need to store the number is on a successful authorization. The only number you need then is the credit card number and the transaction code (at least with every gateway I have ever worked with).
The standard, last time I looked at it, is not specific on encryption algorithms but instead makes it clear it should be currently unbreakable encryption.
Now, one thing you cannot do is store the CCV subsequent to authorization. My understanding is that you can store it prior to authorization but I could never get anyone that would put that in writing. Basically, you authorize the card, you better wipe it.
And it is not illegal at this point but if you get nailed they will bring the hammer down on you. They have within their authority to level heavy fines against you, but it seems like what they usually do is put you in remediation. If you don't comply I don't know what happens because everyone I have heard this happening to complied. But then they really go up your booty with a microscope.
Ultimately, I believe their only stick they really have is to prevent you from accepting credit cards. Most merchants I have worked with were scared to death of exactly that.
If you just want to store the string for a short period of time in memory, you can take a look at System.Security.SecureString.
Taken from this answer:
SecureString values are stored encrypted (obfuscated, rather), but most importantly, they are never swapped to disk and can be disposed of immediately when you're done with them.
They're tricky to use because you can only build them one character at a time (to encourage you to build them by capturing keystrokes as the user types their password), and require three lines of code to recover and then wipe their plain text, but when used properly they can make a program more secure by avoiding the virtual-memory vulnerability.
At the end of the example the SecureString is converted into a regular managed string, which makes it vulnerable again (be sure to use the try-catch-finally pattern to Zero the string after you're done with it). SecureString's use is in reducing the surface-area of attack by limiting the number of copies the Garbage Collector will make of the value, and reducing the likelihood of being written to the swap file.
// Make a SecureString
SecureString sPassphrase = new SecureString();
Console.WriteLine("Please enter your passphrase");
ConsoleKeyInfo input = Console.ReadKey(true);
while (input.Key != ConsoleKey.Enter)
{
sPassphrase.AppendChar(input.KeyChar);
Console.Write('*');
input = Console.ReadKey(true);
}
sPassphrase.MakeReadOnly();
// Recover plaintext from a SecureString
// Marshal is in the System.Runtime.InteropServices namespace
try {
IntPtr ptrPassphrase = Marshal.SecureStringToBSTR(sPassphrase);
string uPassphrase = Marshal.PtrToStringUni(ptrPassphrase);
// ... use the string ...
}
catch {
// error handling
}
finally {
Marshal.ZeroFreeBSTR(ptrPassphrase);
}
If you are going to store credit card information you really need to be PCI compliant or you're just asking for trouble.
Having said that look at the cell level encryption available in SQL Server 2005 and above. Coincidentally :) I have recently given a presentation with T-SQL samples on encryption with SQL Server 2005/2008 available here: http://moss.bennettadelson.com/Lists/Events/Attachments/9/June2008.zip (Link location updated December 23, 2008)
Agreed that you should avoid storing the data if you can. But maybe you are that third party? If so, get familiar with PCI standards. Look around a bit on the site and you'll find the security measures you are required to implement.
It costs somewhere in the neighborhood of $30,000 to become properly compliant and to be able to do that kind of stuff. You are better off using a 3rd party payment service. Personally, I recommend Element Express, and they have a "Hosted" solution that bypasses the PCI-DSS PAPDB compliance. I've had to convert to this for my own applications, even a Point of Sale machine!!! It's a big pain, but we're a small company.
http://www.elementps.com/software-providers/our-security-edge/hosted-payments/PA-DSS-Certification-vs-Elements-Hosted-Payments/
The above link has some good information about the costs associated with becoming compliant. We have had customers ask us to store credit card numbers, and we won't do it because we could be fined as well. Not good. Don't open yourself up to liability.
Edit:
Additionally, if you DO decide to store the credit card information you definitely need to consider the forms of encryption you are going to use. Symmetric ? Asymmetric ?
If you do Symmetric encryption (Passkey) then you open yourself up to some serious security vulnerabilities if the server(site) that has the key (needed to encrypt) is compromised in any way. Remember, even compiled code won't hide a text key.
If you use Asymmetric encryption (public/private keypairs) then you run into some additional issues, but if the primary public facing server is compromised they will only have the public key, and if they also access your database.. they won't be able to decrpyt the contents.
The question then is, where do you store the private key ? Do you have someone paste it in from their local computers when running admin functions.. have a separate application that runs on the desktop to view orders, etc.
There are a lot of things to take into consideration.
Final note: Use a payment gateway (Element Express, Authorize.NET, Paypal, etc.) and don't store any credit card info locally. :P
Here is a link about using X509 Asymmetric Encryption in C#: http://www.csharpbydesign.com/2008/04/asymmetric-key-encryption-with.html
Lets look at the requirement a little differently. Currently it looks like this:
As a product owner for website X i want the system to temporarily store a customers cc details so that i can recover a sale that was declined by the CC company
Ppl tend to think like that and request features in that manner. Now i think your requirement is more conveniently described as follows:
As a user i want website X to be able to retry payment for my purchase so i dont have the hassle of having to go thru the checkout process again coz that is a real pain in the...
So there's no explicit requirement for storing anything (on your side) is there? Its only implied
Payment providers can provide programmatic APIs to your merchant account and the ability to attempt a re-auth on a declined attempt. i think #bashmohandes eluded to this earlier
Not all payment providers can do this however i think its dependent on their relationships with the banks involved. Thats the stuff you want to avoid ie. having a close relationship with banks.
Scenario 1: Assuming all i said is true
You don't have to store anything but a reference to the authorization attempt. Some payment providers even give you a sweet backoffice tool so you dont have to make your own to do re-auths. I think paygate does this
Your best bet i believe is to interview a number of payment providers. they should know this stuff like the back of their hands. This is potentially a zero-code solution
Scenario 2: Assuming i'm like totally wrong but legally this storing CC stuff is ok
So you have to store that data somewhere temporarily. I advise:
use a 2-way encryption method (naturally) that is non-vendor specific so you can use any language/platform to encrypt/decrypt
decouple the encrypt/decrypt service from your app and treat it like a black box
use public/private keys for authentication to this service
put this machine on a private network with its own elevated firewall rules (doesn't have to be a hardware firewall but hardware is better)
have your app servers communicate with this machine via ssl (you could get away with a self-signed cert since its on your private LAN)
All i've suggested in scenario 2 is hurdles but eventually persistence wins the race to get to your data. The only way to absolutely secure data is to unplug your server from the ether but that option is a little radical :-)
Scenario 1 would be nice. Wouldn't it?
Consider your t logs!
If you explain to your customer the full impact (and remedial requirements if they are found out of compliance) then trust me, your 'business requirements' will change very quickly.
If you must store the credit card number (and I advance the thought here that there is no reasonable scenario where you should) and you intend to use a native encryption built-in to your database, then consider this: what about your transaction logs?
If your transaction logs could reflect a credit card number in the clear, then you are out of compliance and should budget for a $10,000 to $50,000 forensic audit at your site if you get caught. Budget for your own attorney in case your customer sues you because you should have known all this stuff.
So if you are going to store a credit card number, run the cipher in code so the transaction logs (insert or update) reflect a ciphered string, not the card number in the clear.
And don't even have a field or column in your database for CVV - encrypted or not - that forensic audit will reveal this (so will the logs) and then your customer is in BIG, BIG trouble. They will pay a fine and could lose their ability to accept credit cards. Your attorney will be very happy.
I have a blog post that deals with this exact situation of storing sensitive data in the database. The blog post uses a String Encryptor class that I built using a Triple DES algorithm but you can plug in your own if you would like.
The blog post contains the video and source code that was used. You can check it out at http://www.wrightin.gs/2008/11/how-to-encryptdecrypt-sensitive-column-contents-in-nhibernateactive-record-video.html. I think it will definitely solve your issue.