问题
We are going to get a Payment Gateway developed from a 3rd party and require this payment gateway to be PA-DSS and the environment to be PCI-DSS compliant. Payment Gateway will be encrypting sensitive information like (passwords, pins, credit and debit card information) and will save it into database. We require that the Key to encrypt and decrypt this information must be changed on regular basis (say quarterly). The requirement is also not to hard code this key into the code.
What would be the best way to keep this key secure and changeable ?
来源:https://stackoverflow.com/questions/60861287/information-security-encryption-decryption-key-management-pcidss-padss-com