Is it PCI complient to encrypt the DB with the sensitive data using TDE (with external EKM)?

We were planning to implement the encryption using TDE and somebody today told me that for PCI the encryption has to be done with an external tool so that the DBA can't see clear PAN (Card holder) data.

Is this true?

Hi,

Hopefully this should help. http://parentebeard.com/wp-content/uploads/2011/09/Payment-Card-Industry-Whitepaper.pdf

This is referenced by Microsoft from the following security and compliance site http://www.microsoft.com/sqlserver/en/us/solutions-technologies/mission-critical-operations/security-and-compliance.aspx

 

Is there a way, using TDE with EKM, not to allow the DBA to read the sensitive data?

I think you'd have to look at cell/row level encryption for that, and that would require some application changes (probably)

Dear all,

I'm doing with PCI-DSS project. At now, We use IBM-Guardium to mask card no with 6first-4end cardno in SQL. PCI-DSS recommend that not use select left, right to see clear text (full pan).