PCI Data Security Standard

PCI dss stands for Payment Card Industry Data Security Standard. The standard describes how safe
electronic payment card systems should be designed. It defines a set of security requirements that should
be met to ensure safe electronic payment.

A description of the total standard can be found at pci_dss_v3-1.pdf.

The requirements are divided in six main parts and a total of 12 requirements. The six main parts are:

1. Build and Maintain a Secure Network
2. Protect Cardholder Data
3. Maintain a Vulnerability Management Program
4. Implement Strong Access Control Measures
5. Regularly Monitor and Test Networks
6. Maintain an Information Security Policy

Although this standard has been developed for electronic payment systems it can of course be used for
any information system where data has to be handled securely. Asysco has therefore decided to fulfill the
requirements of the second part concerning the Protection of (Cardholder) Data in AMT-COBOL.

This part contains two requirements:

• Requirement 3:     Protect stored cardholder data
• Requirement 4:     Encrypt transmission of cardholder data across open, public networks.

PCI dss Requirements that are met in AMT-COBOL.

The following requirements of the PCI dss are met when using the external encryption methods provided by AMT-COBOL:

• Requirement 3.4: Strong encryption is provided by using AES 256 bits cipher algorithm to store data in the database, in files and in the logging. Key management is done by the application server and the key is stored securely in the database.
• Requirement 3.6.1: Generation of strong keys is done using PBKDF2, see RFC 2898, "PKCS #5: Password-Based Cryptography Specification Version 2.0", available on the Request for Comments Web site at http://www.rfc-editor.org/. See section 5.2, "PBKDF2", for complete details.
• Requirement 3.6.2: Distribution of the keys between the different parts of an application is done with the use of RSA encryption.
• Requirement 3.6.3: The keys are stored in the database using the security options of the database server.
• Requirement 4.1: Data is transmitted between the different parts of an application with the use of AES 256 bits cipher encryption.

AES

Advanced Encryption Standard, also known as Rijndael, is a block cipher adopted as an encryption standard by the U.S. government. It has been analyzed extensively and is now used widely worldwide. AES was announced by National Institute of Standards and Technology (NIST) as U.S. FIPS PUB 197 (FIPS 197). It became effective as a standard on May 26, 2002.

AES uses a symmetrical key (i.e. the same key is used for encryption and decryption).

In AMT-COBOL this key is used both for encryption of data in the database and for the transmission of data between the application server and the application clients. To be able to decrypt and encrypt data in the application client the key is sent to the application client using RSA encryption.

Since data fields in tables can contain the same data in different records and a vulnerability would be added if this resulted in exactly the same data after encryption, a mechanism has been added to ensure that a new encrypted value is created each time the same data is encrypted. This done in such a way that the original data can be retrieved of course.

RSA

RSA is an algorithm for public-key cryptography. It was the first algorithm known to be suitable for signing as well as encryption and on of the first great advances in public key cryptography. RSA is widely used in electronic commerce protocols and is believed to be secure given sufficiently long keys and up to date implementations.

RSA uses a pair of asymetrical keys, a private key and a public key. What is encrypted with the private key can only be decrypted with the public key and what is encrypted with the public key can only be decrypted with the private key.

In AMT-COBOL the client (Webclient) generates a public and private RSA key at startup. The client then sends the public key to the transaction server signed with a SHA-1 hash code. The transaction server checks the received public key with the hash code and in case of success retrieves the symmetric AES key from the database and sends this symmetric key encrypted with the public RSA key to the client. The client finally decrypts the symmetric key using the private RSA key. The received AES symmetrical key will then used for encrypted data transmission to and from the Transaction server.