Enterprise Encryption Meets Corporate Reality
Written by David TaylorColumnist David Taylor is the Founder of the PCI Knowledge Base and former E-Commerce and Security analyst with Gartner.
What are the differences between “end-to-end” encryption and “old-fashioned” encryption, apart from marketing hype? There are tons, and many are worth the time it takes to understand and plan for these issues because they will affect both your compliance and your overall data security. This week, we’ll highlight three of these differences.
Last week, I noted that Visa’s new Data Field Encryption Best Practices (DFEBP) are designed to “compliment, rather than substitute for PCI DSS.” Since then, I’ve had several discussions with folks who want to know how the implementation of an end-to-end encryption approach can be integrated with their million-dollar-plus investments in enterprise encryption and key management systems. The last thing anyone wants to hear is that they spent tons of money to meet PCI DSS 3.4 and 3.6 (encryption and key management), only to be told that they wasted their money.
One fellow was especially upset about Visa’s reference to ANS X9.24 as the key management best practice, mainly because it’s so focused on encrypting PINs and is not meant to be a general-purpose key management system. Based on our research relative to encryption and key management, I suspect this concern will mushroom into a real battle unless technology vendors can make it clear how investments in enterprise key management systems will be preserved while still meeting ANS X9.24. These standards were, after all, designed for the financial services industry.
Anyone involved in PCI needs to do a little research on what they will have to do to reconcile their key management systems with the various options for end-to-end encryption. Everybody knows (or should know) that key management is ten times harder to make work than end-to-end encryption. So the next time people bring up end-to-end encryption, ask them to explain–in detail–how the proposed key management will work with their existing key management system. If you can’t get a sufficiently detailed answer, maybe it’s time to talk to somebody else.
One of the most important changes being driven by the end-to-end encryption juggernaut is the encryption of cards at the point of swipe. As long as we continue with existing magnetic stripe cards, encryption at the point of swipe greatly reduces the chances that data can be “sniffed” as it traverses internal networks on its way to an encryption server.
Given PricewaterhouseCoopers’ recent report to the PCI SSC on the potential role of Virtual Terminal systems in reducing PCI DSS scope by eliminating any local storage of card data (even if encrypted), I suspect we’re going to hear more about the pros and cons of smart (and more expensive) POS systems versus greater centralization of POS payment security through the use of virtual terminal systems.
The issues are, again, protecting investments at the POS and how to ensure that whatever you implement will afford both compliance and reasonable security while having the longest potential lifespan. Right now, I’m thinking that virtual terminal approaches have the edge. Why? Simply because the more regulations and standards (such as PA-DSS and PIN transaction security) that are focused on protecting locally captured and stored data, the faster the POS hardware and software will “age.” And the more it will cost to upgrade stores and ensure consistency of compliance over a typical two- to three-year POS upgrade cycle.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
