AnsweredAssumed Answered

AES 256 CBC Decryption (PCI Compliance  Credit Cards on Product Cart)

Question asked by nmreynoso on Feb 2, 2015
Latest reply on Feb 3, 2015 by nmreynoso

Hi There,


I confess to be a total novice when it comes to VB.  My issue is that a long time ago, someone wrote a Access file that queries our product cart database for encrypted credit cards and then exported the query (Containing the de-encrypted card numbers) to excel, which was then imported into our Filemaker database.


So now that we currently use 360Works Plastic and are on our way to becoming fully PCI compliant, this exposure must be dealt with.  I have tried using the TROI, ScriptMaster and BaseElements versions of AES de-encryption, but I always fail.  If I am understanding correctly, this is probably because there is no way to manage a VI?  I am a novice as to encryption as well so I am including the VB code below in hopes that someone can give me some assistance in replicating this, if there is a way.


Sub RC4Initialize(strPwd)
   ':::  This routine called by EnDeCrypt function. Initializes the :::
   ':::  sbox and the key array)                                    :::

      Dim tempSwap
      Dim a
      Dim b

      intLength = Len(strPwd)
      For a = 0 To 255
         key(a) = Asc(Mid(strPwd, (a Mod intLength) + 1, 1))
         sbox(a) = a

      b = 0
      For a = 0 To 255
         b = (b + sbox(a) + key(a)) Mod 256
         tempSwap = sbox(a)
         sbox(a) = sbox(b)
         sbox(b) = tempSwap
   End Sub
   Function EnDeCrypt(plaintxt, psw)
   ':::  This routine does all the work. Call it both to ENcrypt    :::
   ':::  and to DEcrypt your data.                                  :::

      Dim temp
      Dim a
      Dim i
      Dim j
      Dim k
      Dim cipherby
      Dim cipher
      Dim plaintxt1

      i = 0
      j = 0

      RC4Initialize psw
      'restore special character
            plaintxt1 = Replace(plaintxt, Chr(1) & "DD", Chr(0))
      For a = 1 To Len(plaintxt1)
         i = (i + 1) Mod 256
         j = (j + sbox(i)) Mod 256
         temp = sbox(i)
         sbox(i) = sbox(j)
         sbox(j) = temp
         k = sbox((sbox(i) + sbox(j)) Mod 256)

         cipherby = Asc(Mid(plaintxt1, a, 1)) Xor k
         cipher = cipher & Chr(cipherby)

      EnDeCrypt = cipher
      ' remove quotes and special character
      EnDeCrypt = Replace(EnDeCrypt, "'", "''")
      EnDeCrypt = Replace(EnDeCrypt, Chr(0), Chr(1) & "DD")
   End Function


The EnDeCrypt is being called from a SQL query within access thus creating a view:

IIf(Not IsNull([cardnumber]),EnDeCrypt([cardnumber],'THISISTHEAESKEY'),'') AS car


NOTE: We did consider using our product carts plug in so that we didn't have to worry at all about compliance, but so many of our customer orders are for highly customized products and always get changed so often that it is not worth even running a simple authorization.  My goal is to be able to query the encrypted card number and then de-encrypt into a variable that I will pass to create the payment profile in then store only the encrypted card number for a short period of time then purge it leaving only the first and last four of the card number and then expiration date.


FYI, we are using Filemaker 13 Clients and Servers and the most recent version of 360Works Plastic.  Any assistance you can provide is appreciated!