"General Web security best practices suggest that sensitive information, such as credit card numbers, must never...
be stored in cookies (or URLs for that matter). This type of data should be restricted to the POST BODY of the request and nowhere else. A primary reason is -- as the question alludes to -- the storage of the data in an uncontrolled manner on the user's system. As far as cookies are concerned, should any part of the Web site not be served up over SSL, then the credit card information would automatically pass over the wire in the clear."
"One possible solution would be to encrypt the data in the cookie, though not the recommended course of action and PCI has explicitly spelled out this nuance. It would be much better to be in line with industry best practices (and also PCI DSS) to simply remove the data from the cookie entirely and instead passing the data over POST. Another option would be to maintain a user session using cookies, and utilize a database for credit card number lookups."
That seems pretty clear; the application needs to be changed to avoid storing the customer's credit card number in the cookie. It may be a little inconvenient and require a bit more work, but that can be weighed against the cost of notifying customers of a data breach or the loss of business because you've violated customers' trust.
For more information:
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Rothman
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
While liaison officer responsibilities vary depending on the company they work for, their strong organizational and communications skills make them ... Continue Reading
The CISSP certification can be a challenge to obtain. Mike Rothman unveils how to get on the right education and career tracks in order to get CISSP ... Continue Reading