简体繁体 English

有人在存储信用卡数据 - 他们是如何做到的？

[英]Somebody is storing credit card data - how are they doing it?

原文 2010-03-16 23:53:48 2 11 security/ encryption/ credit-card

Storing credit card information securely and legally is very difficult and should not be attempted . 安全合法地存储信用卡信息非常困难，不应该尝试。 I have no intention of storing credit card data but I'm dying to figure out the following: 我无意存储信用卡数据，但我很想弄清楚以下内容：

My credit card info is being stored on a server some where in the world. 我的信用卡信息存储在世界上某个地方的服务器上。 This data is (hopefully) not being stored on a merchant's server, but at some point it needs to be stored to verify and charge the account identified by merchant submitted data. 该数据（希望）不会存储在商家的服务器上，但在某些时候需要存储该数据以验证并收取由商家提交的数据识别的帐户。

My question is this: if you were tasked with storing credit card data what encryption strategy would you use to secure the data on-disk? 我的问题是：如果您的任务是存储信用卡数据，您将使用哪种加密策略来保护磁盘上的数据？ From what I can tell submitted credit card info is being checked more or less in real time. 据我所知，提交的信用卡信息正在或多或少地实时检查。 I doubt that any encryption key used to secure the data is being entered manually, so decryption is being done on the fly, which implies that the keys themselves are being stored on-disk. 我怀疑用于保护数据的任何加密密钥都是手动输入的，因此解密正在进行中，这意味着密钥本身存储在磁盘上。 How would you secure your data and your keys in an automated system like this? 您如何在这样的自动化系统中保护您的数据和密钥？

11 个解决方案

If I was storing the number, I would be a giant service provider with a massive database. 如果我存储该号码，我将成为一个拥有庞大数据库的巨型服务提供商。 That database is spread across a highly-redundant storage array consisting of multiple cabinets, in separate rooms or ideally in separate geographical locations, connected by a SAN. 该数据库分布在一个高度冗余的存储阵列中，该阵列由多个机柜组成，位于不同的房间或理想情况下位于不同的地理位置，由SAN连接。 My biggest insider threat is the distributed physical plant, the constant stream of worn-out drives, and several daily shifts of technicians, administrators, and engineers. 我最大的内部威胁是分布式物理工厂，不断磨损的驱动器，以及技术人员，管理员和工程师的每日轮班。 It's a huge threat. 这是一个巨大的威胁。

Therefore I would encrypt the data on a physically-isolated computer that connects to the mass storage over a network. 因此，我会在通过网络连接到大容量存储的物理隔离计算机上加密数据。 The software would be as simple as possible: encryption and number verification. 该软件将尽可能简单：加密和数字验证。 The public interfaces and business logic goes elsewhere. 公共接口和业务逻辑在其他地方。 Accesses would be logged to a separate SAN. 访问将记录到单独的SAN。

Encrypt with something like AES. 用AES之类的东西加密。 The raw AES key is only ever stored in RAM. 原始AES密钥仅存储在RAM中。 The key is wrapped in a PGP file for each administrator, who has their own passphrase to enable the server. 密钥包含在每个管理员的PGP文件中，每个管理员都有自己的密码来启用服务器。 Less-trusted personnel can be given partial passphrases to use in disaster recovery, or passphrases can be stored in a vault somewhere. 可以为不太信任的人员提供部分密码以用于灾难恢复，或者密码短语可以存储在某个地方的保险库中。 For encryption, pick a unique initialization vector (IV) for each card number, AES-encrypt the number using that IV, and store the IV and encrypted number to the SAN. 对于加密，为每个卡号选择一个唯一的初始化向量（IV），使用该IV对该号码进行AES加密，并将IV和加密号存储到SAN。 Decryption only occurs using a privileged client interface; 仅使用特权客户端接口进行解密; normal client connections used for purchases can never get a decryption. 用于购买的普通客户端连接永远不会得到解密。

For vendors to process and store your credit card info, they generally have to get PCI certified. 对于供应商处理和存储您的信用卡信息，他们通常必须获得PCI认证。 The requirements should be outlined here . 这里应该概述要求。 Some of the requirements are very straightforward, and others are vague and open to interpretation. 有些要求非常简单，有些要求含糊不清，可以解释。 Going through the process is not fun, and a company having the certification doesn't mean your data is safe. 完成这个过程并不好玩，拥有认证的公司并不意味着您的数据是安全的。

But it's better than nothing I suppose. 但这比我想的更好。

It's quite easy to store a salted hash of a credit card number rather than the number itself for secure lookups. 存储信用卡号的盐渍哈希非常容易，而不是数字本身用于安全查找。 For 99% of the scenarios out there, this would be sufficient credit card for storage -- fast and very secure. 对于99％的场景，这将是足够的存储信用卡 - 快速且非常安全。

If you really need reversible encryption of a credit card for some scenario (continued billing, for example), I would go with a symmetric key stored in a secure location other than the database. 如果你真的需要一张信用卡的一些情况（续账单，例如）的可逆加密的，我会去与存储在除数据库外的安全位置的对称密钥。 It's been a while since I looked at PCI specs, but I'm fairly certain that's PCI compliant. 我看了PCI规格已经有一段时间了，但我相当确定它符合PCI标准。

If you need fast lookups along with reversible encryption, use both options: a hash and an encryption. 如果您需要快速查找以及可逆加密，请使用两个选项：哈希和加密。

Edit: There seems to be some controversy over my answer. 编辑：我的回答似乎有些争议。 I would like to point out the following very interesting essay from Integrity.com (PDF): 我想从Integrity.com（PDF）中指出以下非常有趣的文章：

Hashing Credit Card Numbers: Unsafe Application Practices 哈希信用卡号码：不安全的应用程序实践

It details many of the issues involved in storing a hash of credit card data, but its conclusion confirms my suggestion. 它详细介绍了存储信用卡数据哈希所涉及的许多问题，但其结论证实了我的建议。

Yes, a raw hash of the card is not secure; 是的，卡的原始哈希是不安全的; that's why we salt our hashes! 这就是我们为哈希加盐的原因！ But a static salt is also not secure, they allow the creation of rainbow tables for known static salts. 但是静态盐也不安全，它们允许为已知的静态盐创建彩虹表。 So it's best to make our salts vary in some way that is unpredictable. 因此，最好让我们的盐以某种不可预测的方式变化。 In the case of passwords, it's sufficient to use a separate, random hash for each password being checked; 在密码的情况下，对每个被检查的密码使用单独的随机哈希就足够了; it can even reside in the same table/row as the hashed password. 它甚至可以与散列密码位于同一个表/行中。 For the case of credit cards, this should be the same -- a random salt for each instance of the credit card being hashed. 对于信用卡的情况，这应该是相同的 - 每个信用卡实例的随机盐被散列。 If the credit card number is stored per transaction, a separate salt for each transaction. 如果每笔交易存储信用卡号，则每笔交易都有一个单独的盐。

There are pros and cons to this approach, but it's sufficiently secure. 这种方法有利有弊，但它足够安全。 The pros are the lack of key management; 专业人士缺乏关键管理; the salt and hash are right there, and don't need to change while still allowing for audit checks of the hash; salt和hash就在那里，不需要改变，同时仍允许对哈希进行审计检查; eg does that credit card hash match this known credit card number? 例如，该信用卡哈希匹配此已知信用卡号吗？

The cons are in search; 利弊是在寻找; it's not possible to effectively search for a particular credit card number across many transactions. 在许多交易中无法有效地搜索特定的信用卡号。

Of course, you'll have this issue with external encryption anyway; 当然，无论如何你都会遇到外部加密这个问题; unless the database is itself encrypted (something only some databases support), you won't be able to search very well. 除非数据库本身是加密的（只有某些数据库支持），否则您将无法很好地搜索。 Even then, encrypting at the database or even the table level reduces search effectiveness significantly. 即便如此，在数据库甚至表级加密也会显着降低搜索效率。

The last few times I worked with creditcard payments, you never really stored the actual CC info on your own servers. 最后几次我使用信用卡付款，你从未真正在你自己的服务器上存储实际的CC信息。 You let the Payment gateway handle that. 您让付款网关处理该问题。 What you ended up with was a transactionID that you could use to verify that the creditcard was still both valid and had the requested amount of cash available. 您最终得到的是一个transactionID，您可以用它来验证信用卡是否仍然有效并且具有所请求的现金数量。 Then once you actually packed the stuff they bought, you'd issue a capture-command to the Payment Gateway. 然后，一旦你真正打包了他们购买的东西，你就会向支付网关发出一个捕获命令。

This approach greatly simplified the process of integrating CC payments on a site, since all you ever needed to know was the transactionID for a particular customer. 这种方法大大简化了在网站上集成CC支付的过程，因为您需要知道的是特定客户的transactionID。 This ofcourse didn't allow you do to the amazon-"trick" of keeping your CC info for 1-click shopping. 这个当然不允许你做亚马逊 - “技巧”保持你的CC信息的一键购物。 If the transactionID got compromised, all it could be used for was collecting payment early, or cancelling the transaction altogether (in which case you'd find out about it when you verified that the authorization was still valid before shipping). 如果transactionID遭到入侵，它可以用于提前收款或完全取消交易（在这种情况下，当您在发货前验证授权仍然有效时，您会发现它）。 The transaction couldn't be used to collect a bigger sum than what the customer had approved already, nor would it allow someone to collect to a different account than what the "shop" was configured for. 该交易不能用于收取比客户已经批准的金额更大的金额，也不会允许某人收集到与“商店”配置的帐户不同的帐户。

Maybe not the exact answer you were looking for, but perhaps it could solve your overall issue without having to spend a fortune on security vendors. 也许不是您正在寻找的确切答案，但也许它可以解决您的整体问题，而无需花费在安全供应商的财富。

In some situations, encryption keys are stored not on disk but on some hardware device. 在某些情况下，加密密钥不存储在磁盘上，而是存储在某些硬件设备上。 Either a special encryption server is used to do the encrypt/decrypt or the decrypt is done using a key stored on, say, a hardware dongle. 使用特殊加密服务器进行加密/解密，或者使用存储在硬件加密狗上的密钥完成解密。 This way, a hacker cannot steal the decrypt keys without stealing the physical device containing them (since the key never leaves the device). 这样，黑客就不会在不窃取包含它们的物理设备的情况下窃取解密密钥（因为密钥永远不会离开设备）。

Another method I have seen is to store encrypted data in a database/datacenter that has no direct connection to the outside world (you can't hack what you can't access). 我看到的另一种方法是将加密数据存储在与外界没有直接连接的数据库/数据中心中（你无法破解你无法访问的内容）。 An interface server sits between the "secure" part of the network and the "Internet-facing"/"insecure" part of the network as a proxy. 接口服务器位于网络的“安全”部分和作为代理的网络的“面向Internet”/“不安全”部分之间。 Forcing secure traffic to funnel through this security choke point can make it more difficult for an intruder to access the secured data. 通过此安全阻塞点强制安全流量进入漏斗可能会使入侵者更难以访问受保护的数据。

Neither of these mean your data is perfectly secure, of course. 当然，这些都不意味着您的数据非常安全。

As an merchant you can choose to store the CC data in your own database or outsource it to third party providers. 作为商家，您可以选择将CC数据存储在您自己的数据库中，或将其外包给第三方提供商。
Third party providers like IPPayments or major banks like Westpac in Australia are level 1 PCI compliant. 像IPPayments这样的第三方提供商或像澳大利亚Westpac这样的主要银行都符合一级PCI标准。 For web applications you can choose to use a payment acceptance web page (presented somewhere in your customer's workflow) from them branded for your company. 对于Web应用程序，您可以选择使用支持接受网页（显示在客户工作流程中的某个位置），这些网页来自您公司的品牌。 For windows apps (eg you company's CRM app) and recurrent payments they generally have a gateway usable using their API that provide a tokenisation service, that is they accept a CC number, registers it and return an unique token that just looks like a CC number. 对于Windows应用程序（例如，您公司的CRM应用程序）和经常性付款，他们通常使用可提供令牌化服务的API使用的网关，即他们接受CC号码，注册它并返回一个看起来像CC号码的唯一令牌。 The token can be safely be stored in your DB and used for any further transactions, batch payments, reconciliation etc with the bank. 令牌可以安全地存储在您的数据库中，并用于银行的任何进一步交易，批量支付，对账等。 Of course they big issue is operational cost per transaction. 当然，他们的重大问题是每笔交易的运营成本。 For a utility that takes monthly credit card payment from a million customer the transaction cost can be substantial. 对于每月从一百万客户那里获得信用卡支付的公用事业公司而言，交易成本可能很高。

If you choose to store the CC number in your own DB triple DES encryption is sufficient. 如果您选择将CC编号存储在您自己的数据库中，则三重DES加密就足够了。 A better option is to you transparent encryption in DB as offered by Oracle advanced security or SQLServer where even the DBA cannot decrypt the CC number. 更好的选择是在Oracle高级安全性或SQLServer提供的DB中进行透明加密，即使DBA也无法解密CC号。 Then there are onerous responsibility for key management, backup, physical security, network security, SSL transmission, changing default settings of all server equipments and firewall, anti virus, auditing, security cameras and on and on ... 然后，对密钥管理，备份，物理安全，网络安全，SSL传输，更改所有服务器设备和防火墙，防病毒，审计，安全摄像机等的默认设置负有繁重的责任......

Your assumption that the merchant must store the card somehow is incorrect. 您假设商家必须以某种方式存储卡是不正确的。 Most likely, the merchant is storing a token that it received from the payment processing gateway the first time you used the card. 最有可能的是，商家正在存储您第一次使用该卡时从支付处理网关收到的令牌。 The token uniquely identifies the combination of merchant and card. 令牌唯一地标识商家和卡的组合。 Subsequently, you can make purchases from that merchant without supplying your card number again. 随后，您可以从该商家购物而无需再次提供您的卡号。 If the merchant's database is compromised, the tokens are of little value to the attacker. 如果商家的数据库遭到入侵，则令牌对攻击者来说几乎没有价值。 They're only valid for that merchant, and they can all be canceled at once when the breach is detected. 它们仅对该商家有效，并且当检测到违规时，它们都可以立即取消。

First of all if you deal with credit card numbers, you will need to become PCI-DSS compliant, and once you store numbers all 12 sections of the PCI-DSS spec will apply to you. 首先，如果您处理信用卡号码，您将需要符合PCI-DSS标准，一旦您存储了数字，PCI-DSS规范的所有12个部分将适用于您。 Thats a major cost to most organisations, and if you don't have the time, resources and financial means, you should not go down the path of storing credit card numbers. 这是大多数组织的主要成本，如果您没有时间，资源和财务手段，您不应该沿着存储信用卡号码的道路前进。

We have gained PCI-DSS compliance on a Windows based e-commerce system that stores credit cards. 我们已经在基于Windows的电子商务系统上获得了PCI-DSS合规性，该系统存储了信用卡。 It uses a 256 bit AES encryption. 它使用256位AES加密。 The key itself is encrypted using Windows DPAPI meaning it can only be decrypted by a process running under the same user account as the one that encrypted it. 密钥本身使用Windows DPAPI加密，这意味着它只能由与加密它的用户帐户相同的用户帐户运行的进程解密。 The encrypted key is stored in the registry. 加密密钥存储在注册表中。

The key is rotated every 12 months, and a backup key copy is stored broken into 3 parts A,B,C and spread over 3 USB drives, each held by a different person. 密钥每12个月轮换一次，备份密钥副本分为3个部分A，B，C，分布在3个USB驱动器上，每个驱动器由不同的人保存。 Drive 1 has A+B, Drive 2 has B+C, Drive 3 has A+C. 驱动器1有A + B，驱动器2有B + C，驱动器3有A + C. So any 2 drives are required to construct a full key (A+B+C). 因此，任何2个驱动器都需要构建一个完整的密钥（A + B + C）。 This scheme is tolerant to the loss of any 1 of the drives. 该方案可以容忍丢失任何一个驱动器。 Key parts themselves are encrypted with a password known only to the drive owner. 关键部件本身使用只有驱动器所有者知道的密码加密。

To answer your specific question, it is possible to store the credit card encryption key encrypted on disk. 要回答您的具体问题，可以存储在磁盘上加密的信用卡加密密钥。 The key encrypting key can derived from a passphrase that must be entered when the server is started. 密钥加密密钥可以从服务器启动时必须输入的密码中派生。 Shamir's secret splitting scheme can be used so that k out of N shares are required to construct the secret that will be used as key encrypting key. 可以使用Shamir的秘密分裂方案，以便构建将用作密钥加密密钥的秘密中的k个N股。 The decrypted encryption key/secret is then stored in memory. 然后将解密的加密密钥/秘密存储在存储器中。 If the server has to be restarted, then you need k shares. 如果必须重新启动服务器，则需要k份额。 This is of course a big overhead and most merchants I know do not implement this. 这当然是一个很大的开销，我认识的大多数商家都没有实现这一点。 They do however usually store the key separately from the encrypted data for some intermediate security, so access to one does not automatically mean access to the other in entirety (still very bad though). 然而，它们通常将密钥与加密数据分开存储以用于某些中间安全性，因此访问一个并不自动意味着完全访问另一个（尽管仍然非常糟糕）。

I deleted contents of my original post since that did not directly answer the question. 我删除了原帖的内容，因为没有直接回答问题。 Suffice it to say that key management and correct encryption are an important piece but still a small part of the story. 我只想说密钥管理和正确的加密是一个重要的部分，但仍然是故事的一小部分。

PCI auditors cannot possibly ensure that everything is done correctly. PCI审核员不可能确保一切都正确完成。

If you want to eliminate any credit card stealing headaches, hash them using salt values not stored in the database (in addition to salt values stored in the database). 如果您想消除任何信用卡窃取头痛，请使用未存储在数据库中的salt值（除了存储在数据库中的salt值之外）对它们进行哈希处理。 Hashing them with any modern hashing algorithm will pretty much put to rest most issues with credit card theft but it does mean consumers must re-enter their credit card on each purchase. 使用任何现代哈希算法对它们进行哈希处理几乎可以解决大多数信用卡被盗问题，但这确实意味着消费者必须在每次购买时重新输入信用卡。 Having worked on a project that dealt with storage of credit card numbers, I found that hashing them cut security review costs by an order of magnitude (granted that project was before PII concerns). 在处理了一个处理信用卡号码存储的项目后，我发现他们将安全审查成本降低了一个数量级（授予该项目是在PII关注之前）。

If you are going to use symmetrical encryption, then you enter a new realm of complication that all comes down to management and control over the decryption keys. 如果您要使用对称加密，那么您将进入一个新的复杂领域，所有这些都归结为管理和控制解密密钥。 I will say that even if you hash the credit card numbers you will still need to deal with reversible encryption since all PII(Personally Identifiable Information) must be encrypted. 我会说，即使您使用信用卡号码，您仍然需要处理可逆加密，因为所有PII（个人身份信息）都必须加密。 SQL Server 2008 has a new Extensible Key Mangement plugin architecture which lets use third-party vendor programs to manage control over the decryption keys including split keys. SQL Server 2008有一个新的可扩展密钥管理插件体系结构，它允许使用第三方供应商程序来管理对解密密钥的控制，包括拆分密钥。

For more info: Deploying SQL Server 2008 Based on Payment Card Industry Data Security Standards (PCI DSS) Version 1.2. 有关详细信息：部署基于支付卡行业数据安全标准（PCI DSS）版本1.2的SQL Server 2008。

any automated system for decrypting encrypted information is going to be completly insecure. 任何用于解密加密信息的自动化系统都将完全不安全。 By automating the process you are defeating the encryption. 通过自动化流程，您将破坏加密。 Any encrypted data should only be decrypted by a user entered secret key. 任何加密数据只能由用户输入的密钥解密。