Securing individual DB fields

Question

My application needs to store bank details and credit card numbers in a database. We support several DB variants and we try to avoid wherever possible any DB specific features that may not port easily to another.

Therefore I'm looking for a simple yet reasonably secure way of encrypting certain fields such as the card number and bank account number. The application needs those in order to submit requests to external payment systems but a casual select * of the relevant DB tables should return "junk" so someone can't run off with several thousand credit card numbers.

Only our application need know the encryption system, this information does not need to be shared transmitted in (this) encrypted form to any other system.

Does anyone have any suggestions for a simple yet secure way of doing this?

I found the following question/answer which looked useful and comprehensive but I was struggling to figure out if I needed all those fields.

I also found this article which seemed to be implying the IV should be generated randomly each time a record is inserted/updated and stored alongside the encrypted value. If secure this seems more straightforward then the approach suggested in the SO question but I'm having trouble reconciling how to this with the Java APIs.

Any suggestions appreciated. (I'm using Java 6)

Answer 1

Java comes std with some encrypt/decrypt libs, you can investigate them starting at http://download.oracle.com/javase/6/docs/technotes/guides/security/index.html, in particular look at the JCE (now extension of JCA) information.

This SO question is also very similar and contains lots of useful advice: https://stackoverflow.com/questions/4319496/how-to-encrypt-and-decrypt-data-in-java

Answer 2

PCI Security Standards could be referenced. There are many regulations about sensitive card data in card industry.