Hey all. Hope you can help me cause this one is hurting my brain...

Ok so we have a customer who has PAN's in an Oracle database. The database is encrypted let's assume strongly (AES). The key used to decrypt it is a passphrase. Now this passphrase is stored in a stored procedure which is wrapped, and not viewable. In order to call the stored procedure, a user must authenticate to the front end application and the application calls the stored procedure.

If more details are required, let me know. But is this construct considered PCI compliant? I would assume so as one cannot access the SP without authentication, and the SP is never viewable by the app which means the passphrase is not viewable by the app.

Thanks all.

-J

A few things that you will want to look at.

1. Does the stored procedure have any controls around it that would allow you to set permissions on who can execute the stored procedure?

2. Would it be possible to store the stored procedure on another server and have a remote call performed? At least there would be some separation in place and a malicious user would have to determine where the stored procedure is stored in order to view the card data.

I would refer to the key management controls within the DSS. This will give you some guidance on how the stored procedure should be protected. If the application is unable to support the key management controls, then I don't think it would be too hard to implement some compensating controls for this. Logging, access controls, patching, network segmentation, etc.