OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

ebxml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [ebxml-dev] ebXML security for Credit Cards

Hi David,
 This is a classic requirement for having security 
beyond data storage. Apart from data encryption,
there would be a need to do the following:
1. Provide access control mechanism at content
level that will decide who can read/write/browse what.
2. Based on the user, performing the operation, the
access control can be verified and so allowed/denied
to manipulate the data.
 If you use a relational database system for storing
the purchase order information, you would 
need to build this access control in your application.
 I assume you have a user security database already in
place for handling user authentication, otherwise all
this is meaningless.
 I may not have answered your questions, but hope this 
provides some ideas.


> -----Original Message-----
> From: David Lyon [mailto:david.lyon@globaltradedesk.com]
> Sent: Thursday, April 11, 2002 10:16 PM
> To: Ebxml-Dev (E-mail)
> Subject: Re: [ebxml-dev] ebXML security for Credit Cards
> Heres a security question that I've had from one of my 
> developers and it is
> in regards to the storage of Credit Card numbers.
> We have an application that generates X.12/ebXML Purchase 
> Orders with Credit
> Card numbers. The app actually runs off a CDR business card 
> and is given out
> to Customers at the front counter in retail shops. They take 
> the CDR card
> home, stick it in their computer and make a purchase.
> Now when the Purchase Order is sent, it goes over the Net it 
> goes by SSL so
> it is sent in an encrypted form.
> When it lands at the destination it is then decrypted and 
> stored in plain
> but text. The credit card numbers are encrypted. It looks like this:
> <Payment Details>
>   Payment_Date=12-Apr-02
>   Payment_Amount=588.7
>   TP="Qm6ItCIKhGZxKg==B"
>   CD="y8bcHcDcxp1IhToMtWD6PhSuaQ=="
>   XP="Pj3L9g=="
> </Payment Details>
> which after decryption would be:
> <Payment Details>
>   Payment_Date=12-Apr-02
>   Payment_Amount=588.7
>   TP="Visa"
>   CD="4557012301230123"
>   XP="0606"
> </Payment Details>
> This version immediatly above is never stored. It's always in 
> the first
> format.
> My two questions are:
>     1) Is this method safe enough for general consumption and 
> if not what
> would need to be done to make it secure ?
>     2) Where is a safe place generally speaking to store 
> encryption keys ?
> I know that many inhouse systems at the moment keep credit 
> card details in
> plain text in a Customer database, but our system needs to be 
> a few steps up
> from that.
> Any suggestions welcomed
> David Lyon
> Global Tradedesk

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Search: Match: Sort by:
Words: | Help

Powered by eList eXpress LLC