PCI Requirements for Programmers
(
Apr 30 2007 - 01:04:05 PM by
Jonathan DeMarks) - [
print article]
What are PCI requirements?
The PCI (Payment Card Industry) requirements are a set of rules designed to prevent unauthorized computer users from obtaining credit card data. Unauthorized users include you, the network administrators, the database administrator, and most everyone except the credit card authorization company. The first question that you might have is, "How do I prevent myself from seeing something I programmed?" This and all other questions should be answered by the end of this article.
What PCI Requirements Do I Need to Worry About?
Very good questions as there are many requirements and not many apply to programmers. There are only three that directly apply to programmers, but a few others will affect us. First we have "Protect stored data" then "Encrypt transmission of cardholder data and sensitive information across public networks," and finally we have "Restrict access to data by business need-to-know."
First I will explain each of these topics to a limited degree and explain how to best implement them.
Protect Stored Data
This refers to the encryption of data “at rest,” meaning any data which is written to a file (yes, this includes databases) must be encrypted. Encryption of this data can happen before it is written (pre-encrypting) or as it is written (streaming) either by your code or by a third party program.
Encrypt Transmission of Cardholder Data and Sensitive Information Across Public Networks
Sending your data to a client, vendor, or just to another site over a public network? In this case it will need to be encrypted. It is best practice to never send sensitive data unencrypted though, so let’s just say in any case data is transmitted it will be sent over some sort of secure connection having been already encrypted. For simplicity’s sake you need to you a public-private key pair. It’s acceptable to use a symmetric algorithm (password protected) but make sure you’re using a nice algorithm like say, AES-256.
Restrict Access by Business Need-to-Know
What does this mean? It means you, simply. Computer programmers have no need to know credit card data; neither does the CEO or anyone else honestly. In best practice, the data should never be unencrypted unless it needs to be verified by the customer (last four digits only) or it is being transmitted to a company for authorization and credit/debit.
How Does this Affect My Program?
So let’s get straight to the point, what do you need to do differently? First, all data being stored needs to be encrypted. This can be done easily by your program using whatever encryption providers are available to you. Microsoft’s .NET environment has a rich array of cryptographic providers including AES, also known as “Rijndael,” the current industry standard algorithm. Here’s an example:
using System;
using System.IO;
using System.Security.Cryptography;
namespace AES256
{
class Program
{
static void Main(string[] args)
{
SymmetricAlgorithm key = new RijndaelManaged();
key.KeySize = 256;
key.Padding = PaddingMode.PKCS7;
key.Mode = CipherMode.CBC;
key.GenerateIV();
key.GenerateKey();
MemoryStream ms = new MemoryStream();
CryptoStream encrypt = new CryptoStream(ms, key.CreateEncryptor(), CryptoStreamMode.Write);
byte[] PlainText = System.Text.UTF8Encoding.UTF8.GetBytes("Encrypt this.");
encrypt.Write(PlainText, 0, PlainText.Length);
encrypt.Close();
byte[] EncryptedData = ms.ToArray();
Console.WriteLine(string.Format("Encrypted data (b64): {0}",
Convert.ToBase64String(EncryptedData)));
ms = new MemoryStream();
CryptoStream decrypt = new CryptoStream(ms, key.CreateDecryptor(), CryptoStreamMode.Write);
decrypt.Write(EncryptedData, 0, EncryptedData.Length);
decrypt.Close();
byte[] DecryptedData = ms.ToArray();
Console.WriteLine(string.Format("Decrypted data: {0}",
System.Text.Encoding.UTF8.GetString(DecryptedData)));
Console.ReadKey();
}
}
}
So, can we just use this and go about our merry business? Sadly no as we (the programmer) still have access to the encrypting key (although not for long in this example.) What is needed here is a key-management solution.
Key Management Solution
So the above code solves the first two PCI requirements: "Protect stored data," and "Encrypt transmission of cardholder data and sensitive information across public networks." Is it up to the programmers to handle restricting access to that data as mandated by the third point? Partially, this is where your people skills need to be brushed off and used, yes, real people not super-people or action figures. If your company does not have a security officer at this point it would be good to have one, as it is an implied requirement of the PCI standards.
So what is this magical last piece that makes the whole business work? Key management and policies it is! Policies takes away the third point from you and puts the security officer in charge, the most you have to do is write the code that gets a key from the key manager based on a policy (the currently logged in user is a good start,) and use that to encrypt / decrypt (based on the above code,) data as is dictated by the policy. Nice work, you’ve solved PCI!
Possible Key Management Solutions
So I’ve laid this key management product as a solution to all of your problems, but where do you get one? As a programmer you can make one, but if you’re tight on time the one I recommend is Ingrian. I do not work for them, but from all of my research they sell a good product if not somewhat expensive. If you decide to go that route, talk to George Mills and tell him Jonathan DeMarks sent you; he’s a nice guy and he will work with your business.
Summary
Hopefully that was not too much to take in. PCI is quite simple but requires a little bit from everyone in your business. Just remember to encrypt sensitive data whenever at rest, use a key management solution and let the security officer decide who has access to what. That way you can make a program that manipulates data even you don’t have access to.