PCI Council Offers Guidance On Point-To-Point Encryption

  /     /     /  
Publicated : 22/11/2024   Category : security


PCI Council Offers Guidance On Point-To-Point Encryption


Retail standards organization helps clarify where and when to encrypt credit card data



Confused about the encryption requirements under the Payment Card Industry compliance guidelines? Youre not alone. But earlier this week, the PCI Security Standards Council issued some guidance that could help.
In a new document,
Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance
(PDF), the standards group offers guidance on what organizations should look for when acquiring and purchasing encryption technology to protect credit cardholder data as it is authorized and transported into a database.
Among other things, the new guidance helps clarify the concept of end-to-end encryption, offering the new moniker of point-to-point encryption (P2Pe).
The first thing you immediately notice when you begin to look at these things is that theres really no standard for any of this stuff, says Bob Russo, general manager of the PCI Council. Youve got many [vendors] out there extolling the virtues of their end-to-end encryption solutions, and youve got lots of confusion from merchants saying, Well, if I do this, then Im OK, right? In an effort to straighten this stuff out, were looking to see if we can redefine that cardholder data environment and make this more meaningful for everyone out there.
During the past several years, some vendors have pitched end-to-end encryption as a way to eliminate the need to encrypt or tokenize database data for the purpose of PCI compliance. But as outlooks have matured, experts say, the question of how to encrypt data under PCI has become more complex.
If you look at it from the database standpoint, theres a couple of ways that you address encryption of sensitive data -- but a lot of that works if youre only, say, a Microsoft shop, says Gary Palgon, vice president of product management for nuBridges. The realization is that most organizations are heterogeneous, and data has to come in and out of databases. So if I was sending data over a secure channel to a database, the pipe is secure -- and Im encrypting once it is in the database.
Securing all of those pipes can be costly and complex. P2Pe offers another alternative.
This gives an option here -- applying the point-to-point says maybe a better method is encrypting it at the endpoint and then being able to suck it in and put it into the database already encrypted, Palgon says. The industry is figuring out what works, but there are many instances where you want to encrypt the whole database, or certain columns in the database. And there are other examples where you want to encrypt before it even gets to the database. Palgon says some companies are adopting a model in which P2Pe handles the preauthorization encryption of data as it flies around the network -- and then tokenization is used to transform cardholder data into an unrecognizable form in the database, enabling it to be safely used postauthorization.
Its important to recognize that when you swipe a card, you want to encrypt as soon as possible -- and then the encrypted data needs to be there to be used for the purposes of authorization, Palgon says. For any processes postauthorization, thats where tokenization does a great job -- for things like a return system, or loss and fraud detection, or sales and marketing. I can reduce a whole lot of scope up front in my preauth by following P2Pe and can reduce a lot of scope postauthorization using tokenization.
Previously, some observers believed PCI would require a choice between P2Pe and tokenization, but the new guidance dispels that myth.
[Before,] it was an either-or, Palgon says. People kept saying, Which one is going to win out? Which one is the silver bullet? Whats happened over the past 12 months is a realization that its really a situation of both working together.
Palgon leads the PCI Council working group that has made recommendations on a similar road map for tokenization technology. The council is expected to come out with that guidance sometime in November.
Have a comment on this story? Please click Discuss below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
PCI Council Offers Guidance On Point-To-Point Encryption