Re-encrypting Credit Card, Bank Account Numbers, Security Code Data, and Security Key
To replace a known or suspected compromised encryption key, regenerate the encryption key and convert existing credit card, bank account numbers, and Security Code data using the new key. Periodic key changes can be essential to your institution's encryption key management.
This section provides overviews of encryption and re-encryption and discusses:
PeopleSoft Campus Solutions encryption uses PeopleTools Pluggable Cryptography, which is an advanced security framework that provides a security model for applications to encrypt credit card data.
Pluggable Cryptography enables you to secure critical PeopleSoft data and communicate securely with other businesses. It enables you to extend and improve cryptographic support for your data in PeopleTools, giving you strong cryptography with the flexibility to change and grow, by incrementally acquiring stronger and more diverse algorithms for encrypting data. In PeopleTools, pluggable cryptography capability is provided by PeopleSoft pluggable encryption technology (PET).
By using the Tools Pluggable Cryptography for strong encryption/decryption, the system encrypts data using 3DES algorithms and 168-bit encryption keys.
To replace a known or suspected compromised key, regenerate the encryption key and convert existing credit card, bank account numbers, and Security Code data using the new key. Periodic key changes can be essential to your institution's encryption key management.
This section provides an overview of how to regenerate the encryption key and convert credit card, bank account numbers, and Security Code data using the new key.
When you change the encryption key at any time after the initial conversion, you must also re-encrypt all of your credit card, bank account numbers, and Security Code data using that key. Predefined encrypt and decrypt profiles are delivered for Campus Solutions re-encryption. These profiles specify multiple user-defined steps applying various algorithms and keys to the data in a specified order and supporting various encryption standards and third-party encryption libraries.
Use the following parameters for Campus Solutions re-encryption.
|
Parameter |
Value |
|---|---|
|
Encrypt Profile ID |
CS_CREDIT_CARD_ENCRYPT |
|
Algorithm ID (encrypt) |
3des_ks168_cbc_encrypt |
|
Keyset ID |
CSCreditCard |
|
Decrypt Profile ID |
CS_CREDIT_CARD_DECRYPT |
|
Algorithm ID (decrypt) |
3des_ks168_cbc_decrypt |
Note: You can create your own profiles or modify the delivered ones. However, we do not recommend it. If you do, you must be very careful to use the appropriate values for whatever you create or modify.
To change the credit card encryption key and re-encrypt the data, do the following:
Navigate to the Generate Encryption Key page
Click the Generate Random Key button to generate a new random hexadecimal encryption key.
Clicking this button generates a new, random hexadecimal encryption key. You can modify this key. However, you must format it as a 24-byte string in hexadecimal notation. The first two characters must be 0x, and the remainder must be exactly 48 characters consisting of a combination of numeric digits and the lowercase letters a through f.
Copy the regenerated encryption key.
Navigate to the Algorithm page for the encrypt algorithm ID and keyset ID (3des_ks168_cbc_encrypt and CSCredi Card).
Paste the regenerated encryption key value in the Key Value field, replacing the previous value, and save the page.
Navigate to the Convert Encryption page
Confirm that the encrypt and decrypt profile IDs are correct, then click the Run button to start the conversion process.
The Credit Card Conversion process converts each field in the grid. If the process fails for any reason, the process can be restarted in the standard way and the process picks up where it left off. If the process cannot be restarted, the process can be run from the beginning and it automatically bypasses fields that have already been processed.
Warning! You must complete steps 1-7 to encrypt and run the conversion process prior to completing the next steps, which set up decryption.
Navigate back to the Algorithm page for the decrypt algorithm ID and keyset ID (3des_ks168_cbc_decrypt and CSCreditCard).
Paste the regenerated encryption key value in the Key Value field, replacing the previous value, and save the page.
See the product documentation for PeopleTools: Security Administration.
|
Page Name |
Definition Name |
Navigation |
Usage |
|---|---|---|---|
|
Generate Encryption Key |
SSF_CC_ENCRYPT_KEY |
|
Use this utility to change the key used to encrypt credit card, bank account numbers, Security Code data, and Security Key. Note: When you change the key, you must also run the conversion utility to re-encrypt credit card numbers using the new encryption key. Never change the key without also running the conversion. |
|
Convert Encryption |
SSF_CC_RUN_CNVRT |
|
Perform conversion of credit card numbers to use a regenerated credit card encryption key. |
|
Algorithm Keyset |
CRYPT_KEYSET |
|
Copy the regenerated key to the key value field on this page for the encrypt profile prior to running the conversion process. After running the conversion process, copy the regenerated key to the key value field on this page for the decrypt profile. |
|
Process Scheduler |
PRCSRQSTDLG |
Click the Run button on the Convert Encryption page. |
Run the SSF_CC_CNVRT conversion process to convert existing credit card data using the regenerated credit card encryption key. |
Access the Generate Encryption Key page ().
Image: Generate Encryption Key page
This example illustrates the fields and controls on the Generate Encryption Key page. You can find definitions for the fields and controls later on this page.
|
Field or Control |
Definition |
|---|---|
| Generate Random Key |
Click to have the system generate a random key in the format needed by the encryption algorithms used for credit card encryption and decryption profiles. |
Access the Convert Encryption page ().
Image: Convert Encryption page
This example illustrates the fields and controls on the Convert Encryption page. You can find definitions for the fields and controls later on this page.
|
Field or Control |
Definition |
|---|---|
| Decryption Profile ID and Encryption Profile ID |
Default profile IDs are set on the SF Installation 2 page PeopleTools Pluggable Cryptography framework provides the delivered profiles of TRIPLE DES ENC B64 and TRIPLE DES DEC B64. PeopleSoft Campus Solutions has enhanced the PeopleTools profiles specifically for Campus Solutions re-encryption. The predefined, enhanced profiles delivered for Campus Solution are CS_CREDIT_CARD_DECRYPT and CS_CREDIT_CARD_ENCRYPT. Profiles specify multiple user-defined steps applying various algorithms and keys to the data in a specified order and supporting various encryption standards and third-party encryption libraries. The decrypt profile must be the same profile and have the same keys used to encrypt the data as it is. The encryption profile must contain the new keys and algorithm to which you are converting. Therefore, when using the delivered CS profiles, you must change the key value on the Algorithm Keyset page for the encrypt profile and associated algorithm, before running the conversion process. After running the conversion, you must modify the decrypt profile to include the new key. |
| Crypt Action |
Decrypt, then Encrypt is the action set to occur when you run the Credit Card Conversion process. The process first decrypts the credit card, account numbers, and Security Code data using the old algorithm and keys, and then encrypts it with the new set of algorithm and keys. |