Enterprise Encryption Meets Corporate Reality

Written by David Taylor
October 15th, 2009

Columnist David Taylor is the Founder of the PCI Knowledge Base and former E-Commerce and Security analyst with Gartner.

What are the differences between “end-to-end” encryption and “old-fashioned” encryption, apart from marketing hype? There are tons, and many are worth the time it takes to understand and plan for these issues because they will affect both your compliance and your overall data security. This week, we’ll highlight three of these differences.

  • Visa’s New Best Practices Vs. Enterprise Key Management
    Last week, I noted that Visa’s new Data Field Encryption Best Practices (DFEBP) are designed to “compliment, rather than substitute for PCI DSS.” Since then, I’ve had several discussions with folks who want to know how the implementation of an end-to-end encryption approach can be integrated with their million-dollar-plus investments in enterprise encryption and key management systems. The last thing anyone wants to hear is that they spent tons of money to meet PCI DSS 3.4 and 3.6 (encryption and key management), only to be told that they wasted their money.

    One fellow was especially upset about Visa’s reference to ANS X9.24 as the key management best practice, mainly because it’s so focused on encrypting PINs and is not meant to be a general-purpose key management system. Based on our research relative to encryption and key management, I suspect this concern will mushroom into a real battle unless technology vendors can make it clear how investments in enterprise key management systems will be preserved while still meeting ANS X9.24. These standards were, after all, designed for the financial services industry.

    Anyone involved in PCI needs to do a little research on what they will have to do to reconcile their key management systems with the various options for end-to-end encryption. Everybody knows (or should know) that key management is ten times harder to make work than end-to-end encryption. So the next time people bring up end-to-end encryption, ask them to explain–in detail–how the proposed key management will work with their existing key management system. If you can’t get a sufficiently detailed answer, maybe it’s time to talk to somebody else.

  • Virtual Terminal Encryption Vs. POS Encryption
    One of the most important changes being driven by the end-to-end encryption juggernaut is the encryption of cards at the point of swipe. As long as we continue with existing magnetic stripe cards, encryption at the point of swipe greatly reduces the chances that data can be “sniffed” as it traverses internal networks on its way to an encryption server.

    Given PricewaterhouseCoopers’ recent report to the PCI SSC on the potential role of Virtual Terminal systems in reducing PCI DSS scope by eliminating any local storage of card data (even if encrypted), I suspect we’re going to hear more about the pros and cons of smart (and more expensive) POS systems versus greater centralization of POS payment security through the use of virtual terminal systems.

    The issues are, again, protecting investments at the POS and how to ensure that whatever you implement will afford both compliance and reasonable security while having the longest potential lifespan. Right now, I’m thinking that virtual terminal approaches have the edge. Why? Simply because the more regulations and standards (such as PA-DSS and PIN transaction security) that are focused on protecting locally captured and stored data, the faster the POS hardware and software will “age.” And the more it will cost to upgrade stores and ensure consistency of compliance over a typical two- to three-year POS upgrade cycle.

  • advertisement

    Comments are closed.


    StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

    Most Recent Comments

    Why Did Gonzales Hackers Like European Cards So Much Better?

    I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
    Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
    A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
    The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
    @David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

    Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.