By John Kindervag
The one requirement that frightens my clients most often is encryption. There are two types of encryption specified by PCI: data at rest and data in motion. Of the two, data in motion is far easier and more common. This is covered in Requirement 4: "Encrypt transmission of cardholder data across open, public networks." For most organizations, this means IPSec or SSL VPN tunnels when transmitting cardholder data across the Internet. This is standard stuff for most companies and poses little difficulty.
Where companies get a bit more jumpy is when they confront the concept of "data at rest." This essentially means encrypting data while it sits on a hard drive. Traditionally this level of crypto required a full Public Key Infrastructure (PKI) deployment. As someone who has been involved in deploying PKI, I can understand that apprehension. This fear is so pervasive that a credit card company executive reportedly hinted that PCI would relax the data at rest standards, causing considerable consternation within the PCI community.
Luckily, PCI's data-at-rest encryption requirement is not so daunting as to be un-implementable. Requirement 3.4 requires that Personal Account Numbers (PAN) be protected through one of four means:
- Strong one-way hash functions (hashed indexes)
- Index tokens and pads (pads must be securely stored)
- Strong cryptography with associated key management processes and procedures
Notice that the only data that PCI mandates be protected in this manner is the PAN. Track and PIN data is not even allowed to be stored. For most companies, this means databases containing PAN information should use column or whole disk encryption to protect those account numbers. This is good for all of us. When 40 million credit card accounts are stolen, there is a very good statistical chance that your (or my) credit card is among those that were compromised.
Requirement 3.4 has created a cryptographic explosion. There are many vendors who have invested in creating products that precisely meet the encryption needs of PCI. So the good news is that encryption is no longer scary. The bad news is that the laws of supply and demand have come into play, and encryption products have taken advantage of this capitalistic truth, becoming more expensive than they might otherwise be.
From a pure security standpoint, one credit card executive shared with me that in his opinion there will be as much as an 80% reduction in breaches and fraud once data-at-rest encryption becomes widely deployed. If true, this will be a boon for both consumers and companies alike.
Five myths of PCI compliance
Introduction to the myths of PCI compliance
Myth 1: PCI is hard
Myth 2: PCI will make us secure
Myth 3: Encryption is scary
Myth 4: "I don't take enough credit cards…"
Myth 5: Product X will make me compliant
About the author
John Kindervag is a 20-year veteran of the high-technology world. He is the senior security architect for Vigilar Inc., where he helps corporations design secure networks and manages Vigilar's Vulnerability Assessment and Compliance Practice. Kindervag holds a Bachelor of Arts degree in Communications from the University of Iowa.
This was first published in August 2007