[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] Hashing and entropy

From: "Martin O'Neal" <martin.oneal@xxxxxxxxxxxx>
Subject: RE: [WEB SECURITY] Hashing and entropy
Date: Fri, 20 Jun 2008 23:33:10 +0100

I've provided some crypto guidance for a couple of UK high street
retailers PCI projects, and the general rule is that the right solution
is based mostly on context, and what you actually want to do with the
PAN (or a derivative of it).  No one size fits all.  

As a first port of call though, only keep the data you absolutely must
keep, and only for as long as you need to.  Many people use the PAN as a
key for marketing or purchase history, which is just isn't suitable for.
If you can ruthelessly remove PCI data, then you reduce the problem
(often by several orders of magnitude).

For example, many merchant services will wrap the whole CC handling
process for you.  Which means that you should never have to store any
PCI related data at all; you hold it transiently whilst the transaction
is authorised, and then you store the transaction reference, and destroy
the PAN/CVV etc.

Martin...


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

References:
- RE: [WEB SECURITY] Hashing and entropy
  - From: Glenn.Everhart
- RE: [WEB SECURITY] Hashing and entropy
  - From: Lavery, Oliver

Prev by Date: RE: [WEB SECURITY] Hashing and entropy
Next by Date: Re: [WEB SECURITY] Hashing and entropy
Previous by thread: RE: [WEB SECURITY] Hashing and entropy
Next by thread: Re: [WEB SECURITY] Hashing and entropy
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site