Is encrypting cookies a PCI DSS requirement?

Is encrypting cookies a PCI DSS requirement?

While scanning my company's Web server log files, I came across a log error that contained data posted during a secure credit card transaction. I mentioned it to our developer and he said that after the customer enters his or her credit card number and before submitting the final order, the credit card number is stored in the user's Web browser as a cookie. Are we responsible for encrypting the cookie on the user's system? Is this a requirement of the PCI DSS standard?

    Requires Free Membership to View

    Login

    SearchSecurity.co.UK members gain immediate and unlimited access to breaking UK industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.co.UK today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.co.uk you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.co.uk is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

I know enough about Web application development to be dangerous, but I have friends that have been on the cutting edge of Web application security for years. So I figured I would ping my friend Jeremiah Grossman, CTO of White Hat Security and author of a very popular Web application security blog, to see what he had to say about encrypting cookies and PCI DSS. Here's his reply:

"General Web security best practices suggest that sensitive information, such as credit card numbers, must never be stored in cookies (or URLs for that matter). This type of data should be restricted to the POST BODY of the request and nowhere else. A primary reason is -- as the question alludes to -- the storage of the data in an uncontrolled manner on the user's system. As far as cookies are concerned, should any part of the Web site not be served up over SSL, then the credit card information would automatically pass over the wire in the clear."

"One possible solution would be to encrypt the data in the cookie, though not the recommended course of action and PCI has explicitly spelled out this nuance. It would be much better to be in line with industry best practices (and also PCI DSS) to simply remove the data from the cookie entirely and instead passing the data over POST. Another option would be to maintain a user session using cookies, and utilize a database for credit card number lookups."

That seems pretty clear; the application needs to be changed to avoid storing the customer's credit card number in the cookie. It may be a little inconvenient and require a bit more work, but that can be weighed against the cost of notifying customers of a data breach or the loss of business because you've violated customers' trust.

For more information:

  • In this expert response, Joel Dubin discusses whether or not tokenization can meet PCI DSS standards for storing credit card data.
  • In this SearchSecuity.com Q&A, discover how other types of sensitive customer data, such as driver's license information, should be handled.

    • This was first published in October 2007

    Back to top