The Green Sheet Online Edition
July 26, 2010 • Issue 10:07:02
The allure of end-to-end encryption
Scope reduction" should be a magical phrase to merchants, acquirers and ISOs because it refers to reducing the applicability of Payment Card Industry (PCI) Data Security Standard (DSS) controls. PCI compliance is no small matter, nor is it inexpensive. The larger an organization, the more costly the effort to ensure compliance, but smaller organizations may have to devote comparatively larger proportions of their resources than more sophisticated outfits.
So, large or small, compliance is a big issue that many organizations want to reduce. Any step to limit the scope of that compliance is welcome. That's why end-to-end encryption (E2EE) is now one of the most talked-about concepts in the payments industry. And consensus is growing that E2EE is a vital step not only in containing the costs of compliance, but also in making card data much more secure.
An initial goal of the Secure POS Vendor Alliance was "to create an industry encryption framework ... to adequately secure cardholder information before it enters the application environment."
In 2009, Visa Inc. published industry best practices for E2EE. Even the PCI Security Standards Council (PCI SSC) is developing guidance on how E2EE (which it prefers to term "point-to-point encryption") will satisfy certain PCI requirements.
What's the buzz?
Retailer environments are too complex to completely and constantly lock down against all intruders. Encrypting cardholder data from end-to-end may be the only way to meet current security requirements.
The potential liability associated with cardholder data breaches is daunting. The per-record cost estimates for a security breach range from around $100 to several hundred dollars, so a breach could easily result in costs in the millions of dollars. Unfortunately, the number of attempted and successful data breaches is increasing, even among retailers that meet PCI DSS compliance requirements and audits.
End-to-end encryption entails encrypting cardholder information on acceptance inside a secure, trusted device and keeping it encrypted throughout an organization, ideally all the way to the acquirer or processor.
Retailers aren't in the business of security or payment technology; they must focus on understanding customer needs and delivering the right goods at the right time and place. PCI requirements were on a two-year update cycle, so by the time a retailer got up to speed, it was time to learn the next set of requirements. The PCI SSC recently extended the cycle to three years, but even so, merchants need significant guidance from ISOs and merchant level salespeople to understand the compliance process.
A variety of encryption techniques have been proposed for the retail industry. All offer strengths but also have limitations that make them less than complete:
- Database encryption is widely used in the computer industry to protect records. Various methods and tools exist to encrypt fields, records or an entire database. Databases can be encrypted on a single server or on distributed servers, and both software- and hardware-based products and solutions are available.
This form of encryption does not, however, protect data end-to-end. Many organizations have a hodge-podge of servers, applications and networks that may require access to the database information, resulting in data being frequently unencrypted and exposed to rogue sniffers.
- Tokenization schemes replace cardholder information (usually the primary account number) with a randomly generated, numeric token. This type of security is inexpensive and allows a retailer to store information that does not violate PCI DSS restrictions. But the tokenization doesn't occur until after the transactions are authorized, and somewhere along the line, cardholder data is being encrypted and decrypted, causing potential exposure.
- Secure Sockets Layer (SSL) is widely deployed and enjoys broad support across multiple industries. Based on public key cryptography, it bears little or no cost and has become the standard for Internet commerce. With SSL, however, data is only encrypted while in transmission on the network, so the sending and receiving servers must encrypt and decrypt, respectively, the cardholder data, creating potential exposures on either end.
- Hardware-based encryption schemes are built around a secure, tamper-resistant hardware module that generally sits at a central location on a corporate network, providing strong key management and secure key storage. Hardware-based encryption is widely held to be superior to software-based encryption but can be expensive to deploy at store locations, where changes will be required at the POS.
Putting E2EE to the test
VeriFone favors a total systems sol-ution approach that encompasses the following:
- End-to-end encryption so that cardholder information is encrypted at the instant of acceptance inside a secure, trusted device and remains encrypted throughout an enterprise
- Key management per industry standards, including a secure transport, tamper-resistant security module (TRSM)
- TRSM storage and secure key generation in a facility certified with proper controls and procedures
- A monitoring component to provide 100 percent device- and transaction-encryption compliance and instant notification of potential issues
An independent assessor, Coalfire Systems Inc., recently completed a review of this approach and came to some compelling conclusions regarding E2EE: "As most of the DSS controls are designed to manage risk to card data from specific threat scenarios, it is therefore possible to reduce their applicability by securing the card data in the merchant environment, so that the threat scenarios are no longer a viable risk.
"By strongly encrypting card data at the point of capture in a secure and restricted device, where no ability to decrypt the card data exists, you can effectively 'isolate' the majority of the merchant's environment from scope. If specific deployment scenarios are adhered to, the merchant environment can be treated as an untrusted environment similar to a public network when using strong transmission encryption."
Coalfire stressed that PCI compliance scope reduction cannot remove the need for PCI compliance and does not eliminate merchants' responsibility to validate compliance to their acquirers, but Coalfire noted that scope reduction has big benefits: "PCI compliance scope reduction's biggest payoff for merchants is the opportunity to eliminate the cost of PCI control deployment for the sole purpose of meeting compliance obligations. The second major benefit is the reduction of cost and effort to validate PCI compliance of the merchant environment."
No doubt you'll be hearing more and more about E2EE. It's important to know how different vendors and service providers implement this technology.
Scott Henry is Director, North America Product Marketing, for VeriFone Inc. He can be reached at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.