IT Jobs
End-to-end encryption: The PCI security holy grail
How do you make it difficult to illicitly move and use your data? The answer is simple: encrypt it.
By Ben Rothke and David Mundhenk | CSO
Published: 15:49 GMT, 14 September 09
One of the fascinating things to do when in New York City is to visit the Federal Reserve gold vault. The vault lies 86 feet below sea level, resting on Manhattan bedrock, and holds approximately 5,000 metric tons of gold bullion. The Federal Reserve Bank does not own the gold but serves as guardian of the precious metal, which it protects at no charge as a gesture of goodwill to other nations.
Obviously, the security measures to protect hundreds of billions of dollars of gold are intense. But even if a thief were to breach the underground defences and avoid the marksmen, how would he get the gold out? Gold is dense, difficult to transport and heavy, with each bar weighing approximately 27 pounds. Combined with the impossible-to-negotiate downtown Manhattan traffic, those facts contribute to the vault being a safe and sound way to protect the gold.
The data stored within your IT infrastructure is also quite valuable. The challenge - how do you make your data like gold, so that it is difficult to illicitly move and use? The answer is, quite simply, encrypt it.
Getting to grips with PCI Security Standard | Visa warns of PCI security deadline | PCI DSS made easy
Data that is effectively encrypted is unusable to the party who recovers it if that party lacks the proper decryption key(s) and means to decrypt. Imagine if your case of of fifty 600-gigabyte backup tapes was lost in transit. If the tapes were encrypted, you would still want to find them. But if they were not encrypted, you need to call the lawyers and immediately initiate your incident plan.
Many of the data breaches of the past few years could have turned into non-incidents if the data had been encrypted. Most recently, web hosting firm Network Solutions warned over half a million cardholders that their transaction data may have been compromised. In a statement, the firm said it found unauthorised code on servers supporting some of its e-commerce merchant's web sites.
They noted that "after conducting an analysis with the assistance of outside experts, we determined that the unauthorized code may have been used to transfer data on certain transactions for approximately 4,343 of our more than 10,000 merchant web sites to servers outside the company." At no point do they indicate that encryption was used.
The PCI DSS and encryption
PCI DSS Requirement 3 details technical guidelines for protecting stored cardholder data and the requirements for encryption. The PCI DSS has perhaps been the biggest boon for encryption since the creation of PGP. Section 3 provides the high-level details around encryption. At a minimum, PCI requires the PAN (primary account number) to be rendered unreadable anywhere it is stored, including portable digital media, backup media and logs.
For merchant data, if it were all encrypted, then PCI DSS compliance would be much easier to accomplish. Note however, that even if an entity would encrypt all of its data, it would still be required to be PCI compliant if involved in the storing, processing, and/or transmission of cardholder information. The PCI Standards Security Council (PCI SSC) has been adamant and clear that the act of encrypting cardholder information does not render those systems and data involved as out-of-scope with respect to PCI compliance.
.gif)
Add your commentComments
Gregory | Published: 23:07 GMT, 17 September 2009
This is a timely piece, as the problem of how to manage increasing certificate and key volumes has reached a tipping point as enterprises wage a security battle to protect data. Organizations claim to have deployed less encryption lately—in spite of increasing executive pressure and mandates, high-profile breaches, regulations, and internal security policies. This while the analysts keep chiming in about the need for “holistic” and “centralized” approaches to EKS. What’s a boy to do?
Mark Bower | Published: 00:06 GMT, 15 September 2009
End to End Encryption can be successfully deployed in less than 60 days. We’ve proven this with large US payment processors and Tier 1 Merchants. E2E is not about big bang integration globally - it’s about solving the problem quickly where it needs to be solved - at retailers, processors, payment gateways, legacy systems, enterprise IT and in value added networks. Mark Bower Vice President, Product Management Voltage Security
Jim Andle | Published: 18:00 GMT, 14 September 2009
Really comprehensive article, and essential on the point of encryption's lack of ubiquity, which really needs to change. There's also a misconception about some cutting edge types of encryption, ie extended validation ssl, that consumers aren't educated enough for the implementation to increase safety or e-commerce conversions. But the solution there is to embrace and spread the technology far and wide. If we should take anything from this article it's that more things need to be encrypted.