Thank you Rajeev.
Actually we are trying to cater below the PCI requirement.
https://www.dwt.com/blogs/financial-services-law-advisor/2022/05/payment-card-industry-data-security-standards
I understand the encryption at the storage is taken care of by TDE which we
already have. And I need to see if TLS is implemented too.
However i believe ,it still has more to it , like we can't store the
decryption key if the encrypted value is stored in our database. And even
we can't store the card number as is in the database but have to encrypt
and then store it. Are these things taken care of by HSM with TDE option?
**** excerpt from above blog
"encryption alone is generally insufficient to render the cardholder data
out of scope for PCI DSS and does not remove the need for PCI DSS in that
environment. The entity's environment is still in scope for PCI DSS due to
the presence of cardholder data."
The standard provides the following situations in which encrypted
cardholder data will still be in scope of PCI DSS:
- Systems performing encryption and/or decryption of cardholder data,
and systems performing key management functions;
- Encrypted cardholder data that is not isolated from the encryption and
decryption and key management processes;
- Encrypted cardholder data that is present on a system or media that
also contains the decryption key;
- Encrypted cardholder data that is present in the same environment as
the decryption key; and
- Encrypted cardholder data that is accessible to an entity that also
has access to the decryption key.
Nevertheless, if a service provider (or other entity) merely receives
and/or stores encrypted data and does not have the ability to decrypt it,
the data can largely be considered out of scope of the PCI DSS. Version 4.0
explains that in a case where a service provider stores encrypted
cardholder data on behalf of a customer, does not have access to the
decryption key, and does not perform key management for its customer, the
data can be excluded when the service provider determines its PCI DSS
scope. Similarly, if a service provider only receives encrypted cardholder
data for the purpose of routing the data to other entities and does not
have access to the decryption key, the service provider may be considered
the same as a public network and would not have any PCI DSS responsibility
for the encrypted data.
On Wed, Nov 8, 2023 at 3:52 PM Rajeev Prabhakar <rprabha01@xxxxxxxxx> wrote:
Lok,
From what I know, for PCI data protection
related compliance there are at least two
requirements :
a) protect stored card holder data &
b) encrypt transmission of cardholder
data..
As regards “ but we need to encrypt things
while storing such that it won't be viewable
by anybody or application users” seems to
me that you are talking about requirement
“b” listed above..
If that’s correct & if you aren’t already using
it, please incorporate TLS (not SSL) to encrypt
control and management plane communications.
Regards,
Rajeev
On Nov 8, 2023 at 1:41 AM, <Lok P <loknath.73@xxxxxxxxx>> wrote:
Anyone has any thoughts on this, usage of TDE with HSM ?
On Sun, 5 Nov, 2023, 10:47 am Lok P, <loknath.73@xxxxxxxxx> wrote:
Yes, that is an option. But then moving the data to the downstream
system, do we need to also move the encryption keys to those environments
for decryption? I believe that will breach the PCI requirement again?
I was wondering if anybody used TDE with HSM option, and how that will
help in satisfying the PCI requirement.
On Sun, Nov 5, 2023 at 10:40 AM yudhi s <learnerdatabase99@xxxxxxxxx>
wrote:
I think if you don't have an option to store clear text , you may go
for using dbms_crypto for encrypting the column itself while
loading/persisting in your database.
On Sun, Nov 5, 2023 at 2:37 AM Lok P <loknath.73@xxxxxxxxx> wrote:
Hello All,
We are using Oracle version 19C and its Exadata for most of the
databases.
Creating this thread to understand how people cater to the payment
industry security requirement (i.e. PCI standard needs) through encryption.
Which is as below,
https://www.dwt.com/blogs/financial-services-law-advisor/2022/05/payment-card-industry-data-security-standards
As I understand it highlights that TDE is not enough as that encrypts
the column at storage but we need to encrypt things while storing such that
it won't be viewable by anybody or application users. And the key
management also has to happen outside the encryption/decryption zone.
Few of the third party team members suggested using Oracle TDE with HSM
to cater to this PCI requirement. We are already using Oracle
TDE(Tablespace encryption). But hearing this(Oracle TDE with HSM) for the
first time, I want to check here if anybody has experience using this in
the past and this will really suffice the PCI standard security needs?
Regards
Lok
