Our client must conform to PCI-DSS rules. They work also with credit card PAN’s in their SQL statements. PAN can not be stored anywhere on the system in native form. If they execute an SQL statement with PAN as a variable, TOAD stores the sentence in the SQL history and thus they violate PCI-DSS rules…
Is there a possibility in the TOAD to encrypt those stored sentences through TOAD rather than encrypt the UserFiles directory on the system level?
Thanks guys!!
As the expression goes - “anything is possible”. Of course there will be a tradeoff - most notably speed and the ability to easily recover SQL Recall data but it is possible.
You should add it to the Idea Pond - www.toadworld.com/…/i
From: tomaz [mailto:bounce-tomaz@toadworld.com]
Sent: Monday, July 11, 2016 6:58 AM
Subject: [Toad for Oracle - Discussion Forum] Encryption of UserFIles?
Thread created by tomaz
Our client must conform to PCI-DSS rules. They work also with credit card PAN’s in their SQL statements. PAN can not be stored anywhere on the system in native form. If they execute an SQL statement with PAN as a variable, TOAD stores the sentence in the SQL history and thus they violate PCI-DSS rules…
Is there a possibility in the TOAD to encrypt those stored sentences through TOAD rather than encrypt the UserFiles directory on the system level?
Thanks guys!!
To reply, please reply-all to this email.
Stop receiving emails on this subject.
Or
Unsubscribe from Toad for Oracle - General Forum notifications altogether.
Toad for Oracle - Discussion Forum
Flag
this post as spam/abuse.
So, does it mean that the encryption is not an inside TOAD option?
Currently, no it is not an option
Thanx!
It’s easy enough to encrypt a folder at the system level. Why not just do that? Scattering encryption code throughout Toad everywhere we write to User Files would surely lead to both errors and performance problems. The errors could be sorted out in time, the performance issues not so much.
I added the idea to the Idea Pond, but would need a faster response.
The problem is compliance with PCI-DSS standard, that requires that at no point in time the unencrypted PAN should be stored on any media. SaveSQL.dat file stores SQL statements in native form thus violating the PCI-DSS standard. Hence the company supports many credit and charge cards for several banks, SQL statements containing PAN are quite commonly used by data analysts.
When setting the save SQL parameter to 0 still stores the last SQL statement to the SaveSQL.dat file. Suggestion is that the parameter 0 would really mean no SQL to be stored (I think that this is a bug) or better, that the SaveSQL.dat file would be encrypted.
Because of this reason, the company is already looking for a different product.
Setting the value to 0 eliminates the ability of Toad do automatically save the SQL statements (Recently Used or History depending on the version) but adding SQL to Personal/Named or Saved (depending on the version) is no different than doing a File -> Save except the location of the storage is centralized. How are files with PAN in them handled? Can a user save a file to their hard drive/thumb drive/network share/puffy cloud? If they can, then this process is no different and can best be handled by policy enforcement/education vs trying to have a code change made.
Also, as Michael stated, adding encryption all over the product is ineffective and costly as far as processing goes. A far better solution would to be to encrypt the User Files folder where the information is stored.
Greg
From: tomaz [mailto:bounce-tomaz@toadworld.com]
Sent: Wednesday, September 07, 2016 11:17 AM
Subject: RE: [Toad for Oracle - Discussion Forum] Encryption of UserFIles?
Reply by tomaz
I added the idea to the Idea Pond, but would need a faster response.
The problem is compliance with PCI-DSS standard, that requires that at no point in time the unencrypted PAN should be stored on any media. SaveSQL.dat file stores SQL statements in native form thus violating the PCI-DSS standard. Hence the company supports many credit and charge cards for several banks, SQL statements containing PAN are quite commonly used by data analysts.
When setting the save SQL parameter to 0 still stores the last SQL statement to the SaveSQL.dat file. Suggestion is that the parameter 0 would really mean no SQL to be stored (I think that this is a bug) or better, that the SaveSQL.dat file would be encrypted.
Because of this reason, the company is already looking for a different product.
To reply, please reply-all to this email.
Stop receiving emails on this subject.
Or
Unsubscribe from Toad for Oracle Forum notifications altogether.
Toad for Oracle - Discussion Forum
Flag
this post as spam/abuse.
I see in older Toad’s that 0 did not mean 0. This is fixed in newer versions. I tested in 12.9 and setting statements to 0 does in fact disable automatic SQL Recall.
Thank you. As Michael Staszewski wrote in his email (copy/paste of it below), tested it in 12.9. We tested it in 12.6. We will install 12.9. and test it again.
I will come back to you with the results.
Thank you. As Michael Staszewski wrote in his email (copy/paste of it below), tested it in 12.9. We tested it in 12.6. We will install 12.9. and test it again.
I will come back to you with the results.
Best regards,
Tomaž
I see in older Toad's that 0 did not mean 0. This is fixed in newer versions. I tested in 12.9 and setting statements to 0 does in fact disable automatic SQL Recall.
------ Original Message ------
From: "Gregory Liss" bounce-GTDG@toadworld.com
Sent: 7. 09. 2016 17:41:01
Subject: RE: [Toad for Oracle - Discussion Forum] Encryption of UserFIles?
Reply by Gregory Liss
Setting the value to 0 eliminates the ability of Toad do automatically save the SQL statements (Recently Used or History depending on the version) but adding SQL to Personal/Named or Saved (depending on the version) is no different than doing a File -> Save except the location of the storage is centralized. How are files with PAN in them handled? Can a user save a file to their hard drive/thumb drive/network share/puffy cloud? If they can, then this process is no different and can best be handled by policy enforcement/education vs trying to have a code change made.
Also, as Michael stated, adding encryption all over the product is ineffective and costly as far as processing goes. A far better solution would to be to encrypt the User Files folder where the information is stored.
Greg
To reply, please reply-all to this email.
Stop receiving emails on this subject.
Or Unsubscribe from Toad for Oracle Forum notifications altogether.
Toad for Oracle - Discussion Forum
Flag this post as spam/abuse.
We tested it in 12.9 and the file is really empty. I will suggest to encrypt this file or folder.
THANKS guys!!!