The Payment Card Industry Data Security Standard (PCI DSS) has undoubtedly made a significant improvement to the security of cardholder account numbers and other sensitive information within the payment card infrastructure. The standard lays out a strong set of requirements that merchants, acquirers and processors must follow.
However, complying with PCI DSS should not be considered a silver bullet for protecting information and battling fraud. Consider that many of the companies victimized by data breaches in the past several years were, in fact, found to be PCI-compliant prior to the breach.
As fraudsters become more sophisticated and develop tactics for identifying and exploiting a given system’s vulnerabilities, it is important that organizations across all industries realize that comprehensive data protection requires technologies and processes that extend beyond the basic requirements outlined by PCI DSS.
Specific reference to the use of encryption is increasingly found in privacy mandates and industry best practices that attempt to go beyond the traditional focus on “people and processes.” Furthermore, encryption is often favored by regulators and policy makers because of the black-and-white nature of the technology. Data is either encrypted or it is not, which in theory means it is either secure or not — a very measurable parameter that is well received by auditors and regulators.
While PCI DSS mandates data encryption at various points in the payments cycle, it does not explicitly prescribe end-to-end encryption — the most sophisticated and successful approach for protecting sensitive cardholder data and other information. Only by implementing end-to-end data protection throughout the entire payment ecosystem can the industry actually achieve the needed security for sensitive data. An example of this is how PIN data is protected in today’s environment — from the point of entry all the way to the Issuer.
Substantiating this approach, Visa recently issued its global industry best practices for data field encryption, also known as “end-to-end encryption.” Included in Visa’s best practices is guidance to use robust key management solutions and encryption consistent with international and regional standards. This includes the management of encryption/decryption keys within Secure Cryptographic Devices such as PIN Entry Devices (PEDs) or Hardware Security Modules (HSMs).
However, despite the growing recognition of the benefits of encryption, there remains a general lack of understanding about deploying and, more importantly, managing the process.
The Key to Simplified Encryption
IT and security administrators often consider encryption to be a costly, time-consuming endeavor that requires a great deal of day-to-day management and slows down other processes. However, these concerns have been addressed as enhanced encryption technologies have come to market.
The true challenge that companies face when it comes to deploying and managing the encryption process is controlling they keys — the secret codes that have the power to unlock data.
As more and more organizations consider implementing end-to-end encryption, they must be able to manage an increasing number of encryption keys. This is crucial not only to prevent keys from being lost or stolen, but also for important operational reasons like on-demand recovery of encrypted data, automated updates and compliance reporting.
Once encrypted, information only becomes readable if the encryption key is available to unlock it. Consequently, the key becomes as valuable as the data it is protecting. This situation can be likened to the security of a home: Locking the house significantly increases the security of its contents, but if the key is left under the doormat, then the level of security is compromised.
In the same way, while end-to-end encryption is an effective approach to safeguarding sensitive data, encryption keys need to be stored and managed effectively in order to ensure that information remains secure.
An additional component of effective encryption key management is implementing a mechanism for securing the keys themselves. Usurping an encryption key is far easier than cracking the encryption, so this is where much criminal activity is focused. With encryption effectively impossible to break, the key management system becomes a natural target for attack. Consequently, deploying end-to-end encryption also requires that security officers establish a method for keeping the keys protected at all times.
While it may appear that key management creates a tremendous burden for organizations considering end-to-end encryption, there are technology solutions and best practices that companies can implement to simplify the key management process.
Good Key Management
To simplify and secure the key management process, techniques to provide enhanced physical and logical security in hardware have become well established. It is worth noting that keys stored using software are subject to attack by Trojans, other forms of spyware, or even malicious use of debugging and system-maintenance tools.
To that end, many companies that deploy end-to-end encryption use hardware security modules (HSMs) to properly store, manage and secure keys. This fundamental approach is reinforced in Visa’s best practices for data field encryption. What’s more, security certifications such as the Federal Information Processing Standard (FIPS) and Common Criteria have helped organizations evaluate the design of these devices to ensure that they are implementing the most robust protection technologies available.
One of the issues when dealing with key management is that in many cases the different security solutions implemented in an organization have their own system and methodology for managing keys. As a result, security administrators are faced with the challenge of having to manage keys in different systems without a common process or framework.
However, several initiatives under way aim to provide standards that can help in the development of common methods for exchanging and managing keys between systems. These include key management standards such as IEEE 1619.3 and the OASIS Key Management Interoperability Protocol (KMIP). As these standards find their way into general adoption, the situation for centralized and uniform key management will improve, allowing security administrators the ability to bring all key management under a unified umbrella.
Measures such as these will help enable organizations to implement cohesive key management strategies moving forward. Once a well thought-out approach to key management is established, effective security policies, reporting practices and, ultimately, a stronger sense of control over data will be achieved.
Encrypting sensitive data throughout the payment cycle is among the most robust strategies for ensuring the continuous protection of systems, but organizations must understand their own specific security risks and proactively deploy appropriate security measures, such as end-to-end encryption.
Maintaining a security infrastructure that incorporates ongoing compliance with PCI DSS at its foundation remains a baseline of defense against potential data breaches, but organizations often face challenges when trying to properly implement and maintain encryption and the keys that unlock the information.
By thoroughly analyzing available key management technologies and standards, IT managers can identify the most appropriate solutions for their environments that will cost-effectively simplify the end-to-end encryption process.
These approaches will not only help all parties in the payments ecosystem meet and surpass PCI DSS requirements, but also ensure the long-term protection of sensitive information, and help eliminate the lasting negative consequences of a security breach.
Paul Meadowcroft is head of transaction security, information systems security, at Thales, a provider of encryption and key management solutions.