Question about the database applications that can be used for storing encrypted card data. Can something like MSAccess be used for data storage? I understand that MSAccess does not have any real security to prevent access to the tables nor can it log any info pertaining to the running of the application or the review of data contained within.

Data maintained in the database would be suitably encrypted (AES256) and keys woud be external to the context, but would lack of logging or lack of user access restrictions constitute a failure to adhere to PA-DSS?

I am aware of MSAccess Workgroup Security however this has been dropped in Access 2007 and would prefer not to depend on using 2003 or earlier releases.

It would have to depend on the application that is using the ACCESS database. You need to ask the following questions:

1) Does it store sensitive PAN in the approved encrypted state?
2) Does it provide logging?
3) Does it allow different users access (ie. is it capable of allowing users to use his/her own usernames and psw)? Keep in mind that even if the application allows for different users to log in, if you're using it with a generic username or using a single username by different people, then it defeats the purpose...
4) How are encryption keys handled? Is it capable of being changed?

If you can answer yes to all the above, I don't see why it cannot be used. Others may have different thoughts on this?

Q: Does it store sensitive PAN in the approved encrypted state?

A: Yes, the data maintained in the database would be encrypted using AES

Q: Does it provide logging?

A: This is the key question. MSAccess itself provides no mechanism to restrict access to the contents of the .mdb file. Anyone can open the database using Access directly, however, the data is not accessible while in its encrypted state.
The front end of the application would be the only party able to decrypt the data and would provide all logging pertaining to decrypted card data access.

Q: Does it allow different users access (ie. each with his/her own usernames and psw)?

A: Based on previous question, the front end of the application will provide for UN/PW on a per user basis.

Q: How are encryption keys handled? Is it capable of being changed?

A: Application's front end would handle key management in separate database and will allow/require keys to be changed on a periodic basis.


Additional Comments?