By Tim Cranny
Panoptic Security Inc.
Encryption is an important issue for compliance with pci Payment Card Industry (PCI) data, device and application security requirements. And like tokenization, which I discussed in "What tokenization is and isn't," The Green Sheet, May 9, 2011, issue 11:05:01, it is a confusing topic for many people.
In addition, vendor hype can make it difficult for nontechnical people to separate fact from fiction. To make the picture clearer for ISOs, merchant level salespeople (MLSs), processors and their merchant customers, this article will delve into what encryption is and what it is not, and explore how it helps with PCI compliance.
To begin, encryption has been around in various forms for several thousand years and will still be used long after PCI is forgotten. It isn't a single technology or tool, but a whole family of solutions. Together, they form a key building block of the Internet and all forms of e-commerce. This contrasts with tokenization, which solves only one specific problem inside e-commerce.
Encryption consists of scrambling a message or piece of data so that it cannot be read. That wouldn't be very useful if the process was one-way - if it were, say, the electronic version of a paper shredder. But encryption involves doing the scrambling in such a way that it can be unscrambled if you have the secret piece of information: the key.
Encrypting data is a little like putting a private letter in a high-security safe: even if burglars steal the safe, they can't get to the information in the letter in order to read it. Similarly, if hackers steal a database containing millions of credit card numbers, no real harm is done if that data is encrypted and the hackers cannot decrypt it.
Following are basic principles regarding encryption. First, remember that encryption isn't a silver bullet. Although an invaluable tool in lots of different areas, encryption does not solve many security issues. Getting encryption right is an important part of addressing security - but only a part.
Second, encryption protects data only while it is actually encrypted. This sounds obvious, but it often gets forgotten. This means, for example, that if you rely on a wireless encryption scheme like Wi-Fi Protected Access 2 (WPA2), credit card data sent over the wireless link is protected only while it's traveling on the wireless leg of its journey.
If that sensitive data has to go across the country or across the world to reach the processor or gateway, wireless encryption protects only the first 50 feet of that journey.
Similarly, every time sensitive data is decrypted for use, it becomes vulnerable. This scenario is inevitable because the proper, intended recipient of the data can't work with the scrambled version.
That is why everyone should be diligent in checking the claims of companies that offer end-to-end encryption. Too often, the solution is not genuinely end to end, and the traffic is broken out at several points along the path, introducing vulnerability at each point.
Third, some good news: in almost all cases with encryption tools, you don't have to look far to find an excellent solution. In fact, most standard plug-and-play versions are better than the new, unusual solutions. So don't be fooled into looking for novelty or the latest and greatest breakthrough.
The boring solutions out there are incredibly strong and resistant to attack if used correctly. It's hard to get precise figures, but probably 99 percent of attacks on encryption either fail or only succeed because the encryption was set up incorrectly in the first place.
It's as if the world provides you with an almost-free, super-high-quality safe in which to store your confidential paperwork; the most likely source of problems is you - if you forget to lock the papers away or if you leave the key in plain sight on top of the safe.
There are various ways encryption comes into play in PCI. We classify encryption of data found in two different modes: encryption of data at rest, for example when the data is sitting in a file or database, and encryption of data in transit, when it is moving across a network.
Regarding PCI and encryption of data at rest, adhere to the following main requirements:
One particular example of this deserving of attention is the storage of sensitive data on removable media such as thumb drives. Too often, people forget to encrypt this data, concentrating only on the obvious storage places, such as databases.
So it is critical that keys be protected like valuable assets. This situation is no different from losing your house keys to burglars: no matter how expensive the locks on your doors, they open when someone uses the right key.
Regarding PCI compliance and encryption of data in transit, respect these primary requirements:
The more sensitive the communications, the more important encryption becomes. For instance, traffic used to control a system (such as administrative access to a computer) is more important and more sensitive than just normal system access. So it's particularly important that communications controlling systems be encrypted.
These rules should help clear the techno-babble haze surrounding encryption. Following them means merchants, ISOs, MLSs and others can enjoy the many benefits of this technology while doing relatively little work. And that's a good deal for everyone.
Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at tim.cranny@panopticsecurity.com or 801-599-3454.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
Prev Next
