SQL Clone
SQLServerCentral is supported by Redgate
Log in  ::  Register  ::  Not logged in

PCI Encryption

It surprises me how often I see people posting questions about what type of encryption to implement for credit card data. If you are processing credit cards yourself, and storing the data, you need to comply with the PIC regulations that exist. Here's a good place to get started: https://www.pcisecuritystandards.org/.

Actually the place you need to start is with your bank or processing company. They should be able to guide you in what requirements need to be met for safe data storage.

However if you're running some service and perhaps trying to store a credit card for a customer to make it easy to charge them over and over, that doesn't mean you don't need to comply. You are holding financial information about a customer and if something happens to the data, you're at fault. Your company could be liable, and possibly even you personally if you make the recommendation to build something yourself.

Good security isn't magical, and it isn't secret. It involves you using well known algorithms, protecting the keys, and following best practices. There are some great encryption technologies in SQL Server 2005/SQL Server 2008, but don't just implement them without learning a few things about what best practices are and how these technologies work.

The Voice of the DBA

Steve Jones is the editor of SQLServerCentral.com and visits a wide variety of data related topics in his daily editorial. Steve has spent years working as a DBA and general purpose Windows administrator, primarily working with SQL Server since it was ported from Sybase in 1990. You can follow Steve on Twitter at twitter.com/way0utwest


No comments.

Leave a Comment

Please register or log in to leave a comment.