We are using 3DES blowfish with 128 bit key, so it's my understanding that this is the worst possible case but acceptable as far as PCI is concerned.

We are storing passwords, one way encryption, always encrypting user input and matching against stored encrypted passwords. This too should be good.

Now if we want to retrieve information, such as credit card number that has been encrypted, is it ok to use the same key to decrypt this and send it on to the merchant? Or does it have to be done in such a way that the same key could not be used to both encrypt and decrypt. If that is the case, what's the recommended solution?

If you are using symmetric algorithm like 3DES or blowfish then you have to use the same key to encrypt and decrypt the data - it is how the algorithms work and, with good key management, accepted for PCI-DSS.

You could use a public key (asymmetric) system like RSA where a different key encrypts and decrypts but this takes more processor time and probably isn't worth it.

By the way, if you are just starting to implement this use AES as your algorithm if at all possible; it is beileved to be much stronger, there are plenty of freeware libraries around and it won't be any harder to implement.

hth
Patrick

I think what you mentioned is the use of 3DES or BlowFish encryption algorithms. These are generally "industry accepted algorithms" and thus compliant for PCI. The key here is to also use an "industry accepted key length" and to implement the algorithm properly.

To answer your other question, yes, it is acceptable to also use secure one-way hashes to store the data.