I have a client I'm helping with their PCI compliance effort. One question I have is where to store the key that encrypts account numbers, etc. Right now, it's in one location in their CF code. Is there a better practice? I understand that storing it in the same database that contains the encrypted data is a no-no (seems sensible). The cost of an external HSM box just for key management seems prohibitive. Is there an easier way that others here have used?
Thanks, Dave ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336254 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm