|
Home > Archive > MS SQL Server > August 2005 > How to implement credit card encryption
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
How to implement credit card encryption
|
|
|
| Has anyone had to encrypt the credit card numbers for storage in a SQL
Server 2000 database?
We have credit card numbers stored in several tables and these values need
to be encrypted. The values are used by many different stored procs that
need the credit card number in the clear.. I have an algorithm to encrypt
and decrypt the values but I am not sure of the best way to employ it.
I would like to implement encryption while re-writing as little code as
possible. I was hoping someone could share a solution that worked for them.
Thanks
Dave
| |
| Mike Epprecht (SQL MVP) 2005-08-01, 3:23 am |
| Hi
Our middle tier encrypts the data before it gets stored in the DB. The
problem with encrypting it in SQL Server 2000, in the DB, is that the hacker
has access to the Stored Procedure that does the encryption/decryption if he
is in the DB.
Regards
--------------------------------
Mike Epprecht, Microsoft SQL Server MVP
Zurich, Switzerland
MVP Program: http://www.microsoft.com/mvp
Blog: http://www.msmvps.com/epprecht/
"Dave" wrote:
> Has anyone had to encrypt the credit card numbers for storage in a SQL
> Server 2000 database?
>
> We have credit card numbers stored in several tables and these values need
> to be encrypted. The values are used by many different stored procs that
> need the credit card number in the clear.. I have an algorithm to encrypt
> and decrypt the values but I am not sure of the best way to employ it.
>
> I would like to implement encryption while re-writing as little code as
> possible. I was hoping someone could share a solution that worked for them.
>
> Thanks
> Dave
>
>
>
>
| |
| Jens Süßmeyer 2005-08-01, 3:23 am |
| I agree with Mike, there are plenty solutions for the middle tier (perhaps in
the .NET security namespace) but only a few and expensive for sql server, I
would´nt do that on the db, but on the middle tier.
--
HTH, Jens Suessmeyer.
---
http://www.sqlserver2005.de
---
"Mike Epprecht (SQL MVP)" wrote:
[color=darkred]
> Hi
>
> Our middle tier encrypts the data before it gets stored in the DB. The
> problem with encrypting it in SQL Server 2000, in the DB, is that the hacker
> has access to the Stored Procedure that does the encryption/decryption if he
> is in the DB.
>
> Regards
> --------------------------------
> Mike Epprecht, Microsoft SQL Server MVP
> Zurich, Switzerland
>
> MVP Program: http://www.microsoft.com/mvp
>
> Blog: http://www.msmvps.com/epprecht/
>
>
>
> "Dave" wrote:
>
| |
| Michael Cheng [MSFT] 2005-08-01, 7:23 am |
| Hi Dave,
Thanks for your post.
From your descriptions, I understood you would like to know how to encypt
data in the SQL Server. If I have misunderstood your concern, please feel
free to point it out.
Since this is a consultation type issue, you can contact Advisory Services
(AS) . Microsoft Advisory Services provides short-term advice and guidance
for problems not covered by Problem Resolution Service as well as requests
for consultative assistance for design, development and deployment issues.
You may call this number to get Advisory Services: (800) 936-5200.
Based on my knowledge, SQL Server 2000 does not support data encryption
internal. You will have to find third party tools or build the applicaiton
to implement the algorithm yourself and use network encryption.
Check MSDN Online and KB article below for more information about network
encryption.
INF: Network Encryption Available Using the Multi-Protocol Net Library
http://support.microsoft.com/kb/132224
Net-Library Encryption
http://msdn.microsoft.com/library/d...-us/architec/8_
ar_cs_6fu6.asp
Thank you for your patience and cooperation. If you have any questions or
concerns, don't hesitate to let me know. We are always here to be of
assistance!
Sincerely yours,
Michael Cheng
Microsoft Online Partner Support
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================
====================
=============
This posting is provided "AS IS" with no warranties, and confers no rights.
| |
|
| Thanks guys.
But I am under the impression that we must store the values in an encrypted
form. I believe it has something to do with the SOX (Sarbanes Oxley)
requirements. I will double check on this.
Are you saying that you store everything in the database as unencrypted and
then decrypt as necessary through the middle tier?
"Jens Süßmeyer" <Jens@[Remove_that][for contacting me]sqlserver2005.de>
wrote in message news:36C7F7D0-F4EC-4299-A5FA- 092A1EF7671D@microso
ft.com...[color=darkred]
>I agree with Mike, there are plenty solutions for the middle tier (perhaps
>in
> the .NET security namespace) but only a few and expensive for sql server,
> I
> would´nt do that on the db, but on the middle tier.
>
>
> --
> HTH, Jens Suessmeyer.
>
> ---
> http://www.sqlserver2005.de
> ---
>
>
> "Mike Epprecht (SQL MVP)" wrote:
>
| |
| Jens Süßmeyer 2005-08-01, 9:23 am |
| We store it as encrypted and use the mid tier to decrypt it.
--
HTH, Jens Suessmeyer.
---
http://www.sqlserver2005.de
---
"Dave" wrote:
> Thanks guys.
>
> But I am under the impression that we must store the values in an encrypted
> form. I believe it has something to do with the SOX (Sarbanes Oxley)
> requirements. I will double check on this.
>
> Are you saying that you store everything in the database as unencrypted and
> then decrypt as necessary through the middle tier?
>
>
> "Jens Süßmeyer" <Jens@[Remove_that][for contacting me]sqlserver2005.de>
> wrote in message news:36C7F7D0-F4EC-4299-A5FA- 092A1EF7671D@microso
ft.com...
>
>
>
| |
|
| You should check with your security people, but the card number encryption is
maybe more due to Visa/Mastercard requirements than SarbOx.
Anyway, 2000 doesn't have the encryption internals needed (hence the middle
tier approach), but for what is required by the CISP etc, look at 2003 (the
OS) file/drive encryption options. They may be enough until Yukon/2005
becomes official (it looks like that may have the tools.)
--
Joseph R.P. Maloney, CSP,CCP,CDP
"Michael Cheng [MSFT]" wrote:
> Hi Dave,
>
> Thanks for your post.
>
> From your descriptions, I understood you would like to know how to encypt
> data in the SQL Server. If I have misunderstood your concern, please feel
> free to point it out.
>
> Since this is a consultation type issue, you can contact Advisory Services
> (AS) . Microsoft Advisory Services provides short-term advice and guidance
> for problems not covered by Problem Resolution Service as well as requests
> for consultative assistance for design, development and deployment issues.
> You may call this number to get Advisory Services: (800) 936-5200.
>
> Based on my knowledge, SQL Server 2000 does not support data encryption
> internal. You will have to find third party tools or build the applicaiton
> to implement the algorithm yourself and use network encryption.
>
> Check MSDN Online and KB article below for more information about network
> encryption.
>
> INF: Network Encryption Available Using the Multi-Protocol Net Library
> http://support.microsoft.com/kb/132224
>
> Net-Library Encryption
> http://msdn.microsoft.com/library/d...-us/architec/8_
> ar_cs_6fu6.asp
>
> Thank you for your patience and cooperation. If you have any questions or
> concerns, don't hesitate to let me know. We are always here to be of
> assistance!
>
>
> Sincerely yours,
>
> Michael Cheng
> Microsoft Online Partner Support
>
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ====================
====================
=============
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
|
|
|
|
|