Disk and Tape Encryption System for PCI Compliance

Functional Features

 Features:

No Source Changes required!

• No changes to any ON/2 source code
• Shorter time to implementation
• Less risk

 

Encryption Algorithm: 

• 168 bit Triple DES (current)
• AES (planned future)   

 

Key Management:       

• Hardware Key values -  via Ingrian key management device
• All keys changed at least monthly
• SSLV3  or TCP/IP protocol
• Multi-box support with automatic fail-over (configurable)
• Software Generated random key values if hardware device(s)  not available
• No user intervention required

 

 

Conversion Program Supplied:

• Batch conversion utility to encrypt/decrypt existing files
• Generic total record encryption in addition to custom ON/2 file routines
• Key name may be specified

 

Configurable:

• Files to be encrypted are specified in configuration file – only encrypt what you deem necessary
• (TLF, ALT_TLF, BCF002, ACV002, CCV002, DDV002, ILV002, LCV002, MLV002, and report files)

 

 

Description

The file encryption system is designed to encrypt customer credit, debit and EBT card numbers on a Stratus using the ON/2 system.  The major functions are to encrypt and decrypt card and account numbers anywhere they are stored on the system (TLF, ALT_TLF, BCF002, ACV002, CCV002, DDV002, ILV002, LCV002, MLV002, and report files) per PCI requirement 3.4 (“Render PAN, at minimum, unreadable anywhere it is stored “)

 

Key management for these functions may be accomplished through either hardware or software. If hardware key management system is used, it will connect to the hardware device using SSLV3 protocol to ensure information is secure.

 

The data is currently encrypted under a 168 bit ( 48 hex digit key) Triple- DES algorithm with future enhancements planned for AES encryption. This meets PCI specification 3.4.a  (“Strong cryptography, such as Triple-DES 128-bit or AES 256-bit” )  Keys are never stored on the system per PCI requirement 3.4.1 (  “Verify that decryption keys are not stored on the local system”) .

 

Since user intervention is not required for key management,  keys are never compromised per requirement 3.5.1 (“Restrict access to keys to the fewest number of custodians necessary”)     

 

Key values are changed at least on a monthly basis (per requirement 3.6.4 ( “Periodic key changes as deemed necessary and recommended by the associated application (for example, re-keying); preferably automatically,   At least annually) .

 

The package is written so that no changes to the customer’s source code are required to implement, only minor modifications to bind files are required. This simplifies testing procedures and user acceptance.

 

A set of batch conversion programs are supplied with the system. These are used for encrypting and decrypting existing files. This can be used for implementation, archiving old files, and disaster recovery procedures.

 

All files to be encrypted are specified in a configuration file. This allows the user to encrypt only the files they deem necessary. Wild cards are allowed so that all files within a directory may be encrypted with only one configuration entry.

 

 

 

 

 

Return to home page

Webmaster: Info@g-s-i.com
© copyright 2015 Gateway Solutions Inc.