After reading about Sony’s major
clusterf… cock-up on their PSP network breach, and how up to 77 million accounts could have been stolen, including credit card data, I propose a method to cure the generic problem of storing customer payment details for recurring billing, such as subscriptions or subsequent purchases.
Step 1. Payment gateway provides business with an individual public encryption key
Upon setting up a payment gateway for processing credit card payments, the business, in this case, Sony, would be issued a public key – be it by the bank if they deal directly with them, or a payment gateway such as RBS.
Step 2. Business encrypts credit card data with public key before storage
PCI DSS specs for storing credit card data securely call for very strong access control, encryption and accountability, but this is not viable against sloppy employees, loss of encryption keys that protect the card data, and so on. Once you have a break-in, if you keep the keys to the safe in the office your valuables are completely naked. With a public key, you are effectively storing the safe’s keys somewhere else. This is how the process works, schematically (click for large size):
Step 3. User makes a purchase
Once the user decides to make a purchase, or has to be billed for the month’s service, the business pulls the encrypted credit card data off its database, combines it with the purchase price and other required information, and sends it to the payment processor for authorization. The payment processor can decrypt the credit card data with its private key, and can thus process the transaction normally:
What does all this solve?
- Users only hand over their credit card data at the start of the relationship, and the data is never stored by the business/merchant.
- Merchant doesn’t keep credit card data that can be recovered, even by a corrupt employee or full-blown data breach.
- Encrypted card data cannot be used in replay attacks in other places, or by other merchants, as the public-key is issued per-merchant.
- If a breach takes place, all the payment gateway needs to do is to revoke the public key and destroy the private key, thus card data cannot be compromised.
All this would obviously cost time and money to implement, but in my view it would be a big step forward in keeping customer credit card data secure.