Re: Question on encryption use case
Date: Fri, 10 Nov 2023 01:18:05 +0530
Message-ID: <CAKna9VYxuTdYju30rrmNUoVwYhk0JqjQoMzpHaX4XF2Uf+h+kQ_at_mail.gmail.com>
Thank you Rajeev.
Actually we are trying to cater below the PCI requirement. https://www.dwt.com/blogs/financial-services-law-advisor/2022/05/payment-card-industry-data-security-standards
I understand the encryption at the storage is taken care of by TDE which we already have. And I need to see if TLS is implemented too. However i believe ,it still has more to it , like we can't store the decryption key if the encrypted value is stored in our database. And even we can't store the card number as is in the database but have to encrypt and then store it. Are these things taken care of by HSM with TDE option?
- excerpt from above blog
"encryption alone is generally insufficient to render the cardholder data out of scope for PCI DSS and does not remove the need for PCI DSS in that environment. The entity's environment is still in scope for PCI DSS due to the presence of cardholder data."
The standard provides the following situations in which encrypted cardholder data will still be in scope of PCI DSS:
- Systems performing encryption and/or decryption of cardholder data, and systems performing key management functions;
- Encrypted cardholder data that is not isolated from the encryption and decryption and key management processes;
- Encrypted cardholder data that is present on a system or media that also contains the decryption key;
- Encrypted cardholder data that is present in the same environment as the decryption key; and
- Encrypted cardholder data that is accessible to an entity that also has access to the decryption key.
Nevertheless, if a service provider (or other entity) merely receives and/or stores encrypted data and does not have the ability to decrypt it, the data can largely be considered out of scope of the PCI DSS. Version 4.0 explains that in a case where a service provider stores encrypted cardholder data on behalf of a customer, does not have access to the decryption key, and does not perform key management for its customer, the data can be excluded when the service provider determines its PCI DSS scope. Similarly, if a service provider only receives encrypted cardholder data for the purpose of routing the data to other entities and does not have access to the decryption key, the service provider may be considered the same as a public network and would not have any PCI DSS responsibility for the encrypted data.
On Wed, Nov 8, 2023 at 3:52 PM Rajeev Prabhakar <rprabha01_at_gmail.com> wrote:
> Lok,
>
> From what I know, for PCI data protection
> related compliance there are at least two
> requirements :
>
> a) protect stored card holder data &
> b) encrypt transmission of cardholder
> data..
>
> As regards “ but we need to encrypt things
> while storing such that it won't be viewable
> by anybody or application users” seems to
> me that you are talking about requirement
> “b” listed above..
>
> If that’s correct & if you aren’t already using
> it, please incorporate TLS (not SSL) to encrypt
> control and management plane communications.
>
> Regards,
> Rajeev
>
>
> On Nov 8, 2023 at 1:41 AM, <Lok P <loknath.73_at_gmail.com>> wrote:
>
> Anyone has any thoughts on this, usage of TDE with HSM ?
>
> On Sun, 5 Nov, 2023, 10:47 am Lok P, <loknath.73_at_gmail.com> wrote:
>
>> Yes, that is an option. But then moving the data to the downstream
>> system, do we need to also move the encryption keys to those environments
>> for decryption? I believe that will breach the PCI requirement again?
>>
>> I was wondering if anybody used TDE with HSM option, and how that will
>> help in satisfying the PCI requirement.
>>
>> On Sun, Nov 5, 2023 at 10:40 AM yudhi s <learnerdatabase99_at_gmail.com>
>> wrote:
>>
>>> I think if you don't have an option to store clear text , you may go
>>> for using dbms_crypto for encrypting the column itself while
>>> loading/persisting in your database.
>>>
>>> On Sun, Nov 5, 2023 at 2:37 AM Lok P <loknath.73_at_gmail.com> wrote:
>>>
>>>> Hello All,
>>>> We are using Oracle version 19C and its Exadata for most of the
>>>> databases.
>>>>
>>>> Creating this thread to understand how people cater to the payment
>>>> industry security requirement (i.e. PCI standard needs) through encryption.
>>>> Which is as below,
>>>>
>>>> https://www.dwt.com/blogs/financial-services-law-advisor/2022/05/payment-card-industry-data-security-standards
>>>>
>>>> As I understand it highlights that TDE is not enough as that encrypts
>>>> the column at storage but we need to encrypt things while storing such that
>>>> it won't be viewable by anybody or application users. And the key
>>>> management also has to happen outside the encryption/decryption zone.
>>>>
>>>> Few of the third party team members suggested using Oracle TDE with HSM
>>>> to cater to this PCI requirement. We are already using Oracle
>>>> TDE(Tablespace encryption). But hearing this(Oracle TDE with HSM) for the
>>>> first time, I want to check here if anybody has experience using this in
>>>> the past and this will really suffice the PCI standard security needs?
>>>>
>>>> Regards
>>>> Lok
>>>>
>>>>
>>>>
>>>>
-- http://www.freelists.org/webpage/oracle-lReceived on Thu Nov 09 2023 - 20:48:05 CET