A Secure String Class Compliant with PCI DSS

Abstract

Computer programs often work with a variety of sensitive data and class String is widely used in object-oriented programming languages for this purpose. However, saving sensitive data to a String object is not safe as it is not encrypted and may still be in the operating memory even after it is no longer needed. Due to non-deterministic behaviour of mechanism responsible for removing unused items from the memory, we cannot say with certainty when String with sensitive data will actually be removed. If an attacker gets either part of or even the entire memory image, then they can easily read these sensitive data. This paper discusses the options in object oriented languages that provide programmers with a way of storing the data in memory in an encrypted form. We present a pseudo code for a secure String class that is compliant with Data retention and Cryptography requirements of the PCI DSS standard.