Skip to main content

Non-encrypted confidential information - Credit Cards

Description

In alignment with the PCI DSS standard, sensitive information regarding payment cards must be masked and encrypted at the user end and at the server end.

Impact

Obtain credit card information.

Recommendation

Encrypt all sensitive information that is transported or stored within the application according to the organizations policies.

Threat

Unauthorized insider attacker performing a MitM.

Expected Remediation Time

⌚ 120 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: A
  • Attack complexity: H
  • Privileges required: N
  • User interaction: R
  • Scope: U
  • Confidentiality: L
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 2.6
    • Temporal: 2.6
  • Severity:
    • Base: Low
    • Temporal: Low

Code Examples

Compliant code

All sensitive information is securely encrypted

const crypto = require('crypto');
const CIPHER_ALGORITHM = 'aes-256-ctr';

const key = createKey();

let kg = new KeyGen(key, CIPHER_ALGORITHM);

function processCreditCarNumber(hashed_CCNumber){
cipheredNumber = kg.cipher(hashed_CCNumber);
saveNumber(cipheredNumber);
return True;
}
//Be aware you need special secure infrastructure to securely store the keys and be sure to rotate them regularly

Non compliant code

The application unsafely saves a hash number that could be accessed through user credentials

function processCreditCarNumber(hashed_CCNumber){
saveNumber(hashed_CCNumber);
return True;
}

Requirements