Storing the key in the same db is ok, if you also encrypt the key. You might use a combination of the app name and the timestamp of the key record as the key to unencrypt the key (wow that's confusing).
Steve "Cutter" Blades Adobe Community Professional - ColdFusion Adobe Certified Professional Advanced Macromedia ColdFusion MX 7 Developer Co-Author of "Learning Ext JS" http://www.packtpub.com/learning-ext-js/book _____________________________ http://blog.cutterscrossing.com On 8/13/2010 8:52 AM, Dave Burns wrote: > I have a client I'm helping with their PCI compliance effort. One question I > have is where to store the key that encrypts account numbers, etc. Right now, > it's in one location in their CF code. Is there a better practice? I > understand that storing it in the same database that contains the encrypted > data is a no-no (seems sensible). The cost of an external HSM box just for > key management seems prohibitive. Is there an easier way that others here > have used? > > Thanks, > Dave > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336256 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm