John Conde - 2020-06-19 14:17:37 -
In reply to message 1 from Tofser
Great question!
In an ideal world, everyone would have the resources to have an environment that is PCI compliant. Not because storing encryption IVs falls under PCI scope, but because these environments are designed for the ultimate data security. These environments, and their data stores, are restricted to users and services that require access (which should be no more than a handful at best) and are, by design, difficult to access (e.g. breach) due to these restrictions. They are also physically separate from the non-PCI environment. So if the primary environment is compromised additional work is required to compromise the secondary environment.
The IV is then correlated back to the record it belongs to via a lookup table or another field in the record that contains encrypted data.
Since most of us do not have access to a PCI environment we have to resort to alternative measures. The most common solution I have seen is to append the IV to the encrypted data when storing it. To an outside observer it just looks like one piece of data. This is effective only as long as the code is not compromised as well.