Quote:
|
Originally Posted by cautious
I may be reading too much into the compliance requirements. My understanding is that, regardless of whether the stored data is encrypted or not, both numbers should not be stored together. The CVV should not be stored at all.
|
You are reading too much into it. Take a look at PCI-DSS 1.2.1 on page 5, footnote 2. It says "Sensitive authentication data must not be stored after authorization (even if encrypted).". Sensitive data is defined as full magnetic stripe data, CAV2/CVC2/CVV2/CID and PIN/PIN Block. Its left open to store this data prior to authorization because of the big boys who use store and forward messaging systems to communicate with their backend systems that do the authorization for their other systems. In hanging out on PCI forums with QSA's its a common misconception that you can't store the CVV2 prior to authorization but the QSA's universally agree its acceptable. The QSA's say that the PCI-SSC, the group responsible for PCI-DSS and PA-DSS, has started a task force to look at security requirements prior to authorization but at this point PCI-DSS doesn't cover security prior to authorization.
Quote:
|
Originally Posted by cautious
The idea is to use it live on demand. I mean, there should be no storage prior to authorization. Just use the number and the CVV to get the authorization, discard the cvv and optionally store the main# if the shop has the capacity to safeguard it and strongly encrypted. There is no need to ever store the cvv, it should be treated like the second part of a two factor authentication.
|
I agree this is the way merchants should operate but it is not mandated by the card brands, PCI-DSS or PA-DSS. All of the reasons to store CVV2 prior to authorization have better ways to deal with the problems.
Quote:
|
Originally Posted by cautious
If both the cvv and main# are stored encrypted together prior to authorization, an attacker can steal the storage and apply brute force. And it'll be worth it because, for a big merchant, the reward is that the cracked storage will yield millions of complete cvv, main# pairs ready to use.
|
Not really an issue. If you use the encryption algorithms and key management practices required by PCI-DSS, brute force would take decades to crack the encryption.