GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

What does Visa's U.S. EMV push mean?


Industry Update

PCI tokenization guidelines draw much comment

How will the Google-Motorola deal affect mobile payments?

B notice advice from Convey

Selling Prepaid

Prepaid in brief

Prepaid Q&A: Gary L. Palmer

Interchange lower on benefit cards than debit


Yes, there is an alternative to NFC

Doug Dwyre


Cash advance in 2011: Fool's gold or gold rush?

Mitchell D. Levy
Merchant Cash and Capital LLC


Street SmartsSM:
WSAA or bust

Bill Pirtle
MPCT Publishing Co.

Learn to be a change pro

Jeff Fortney
Clearent LLC

The remarkable results of repetition, repetition

Peggy Bekavac Olson
Strategic Marketing

Identity theft: It's not just PCI anymore

Linda Grimm and Ross Federgreen
CSRSI, The Payment and Privacy Advisors

Encryption's place in data protection

Tim Cranny
Panoptic Security Inc.

Believe in what you offer, watch your sales soar

Steve Norell
US Merchant Services Inc.

Company Profile

Sage Payment Solutions

Charge Anywhere LLC

New Products

BPA-free receipt paper enters the cloud

Papergistics private-label receipt paper

Tablet innovation advances mobility

CardFlex Tabulous Cloud tablets
CardFlex Inc.


Preparation at summer's end



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

September 12, 2011  •  Issue 11:09:01

previous next

Encryption's place in data protection

By Tim Cranny

Encryption is an important issue for compliance with pci Payment Card Industry (PCI) data, device and application security requirements. And like tokenization, which I discussed in "What tokenization is and isn't," The Green Sheet, May 9, 2011, issue 11:05:01, it is a confusing topic for many people.

In addition, vendor hype can make it difficult for nontechnical people to separate fact from fiction. To make the picture clearer for ISOs, merchant level salespeople (MLSs), processors and their merchant customers, this article will delve into what encryption is and what it is not, and explore how it helps with PCI compliance.

To begin, encryption has been around in various forms for several thousand years and will still be used long after PCI is forgotten. It isn't a single technology or tool, but a whole family of solutions. Together, they form a key building block of the Internet and all forms of e-commerce. This contrasts with tokenization, which solves only one specific problem inside e-commerce.

Understanding encryption

Encryption consists of scrambling a message or piece of data so that it cannot be read. That wouldn't be very useful if the process was one-way - if it were, say, the electronic version of a paper shredder. But encryption involves doing the scrambling in such a way that it can be unscrambled if you have the secret piece of information: the key.

Encrypting data is a little like putting a private letter in a high-security safe: even if burglars steal the safe, they can't get to the information in the letter in order to read it. Similarly, if hackers steal a database containing millions of credit card numbers, no real harm is done if that data is encrypted and the hackers cannot decrypt it.

Following are basic principles regarding encryption. First, remember that encryption isn't a silver bullet. Although an invaluable tool in lots of different areas, encryption does not solve many security issues. Getting encryption right is an important part of addressing security - but only a part.

Second, encryption protects data only while it is actually encrypted. This sounds obvious, but it often gets forgotten. This means, for example, that if you rely on a wireless encryption scheme like Wi-Fi Protected Access 2 (WPA2), credit card data sent over the wireless link is protected only while it's traveling on the wireless leg of its journey.

If that sensitive data has to go across the country or across the world to reach the processor or gateway, wireless encryption protects only the first 50 feet of that journey.

Similarly, every time sensitive data is decrypted for use, it becomes vulnerable. This scenario is inevitable because the proper, intended recipient of the data can't work with the scrambled version.

That is why everyone should be diligent in checking the claims of companies that offer end-to-end encryption. Too often, the solution is not genuinely end to end, and the traffic is broken out at several points along the path, introducing vulnerability at each point.

Third, some good news: in almost all cases with encryption tools, you don't have to look far to find an excellent solution. In fact, most standard plug-and-play versions are better than the new, unusual solutions. So don't be fooled into looking for novelty or the latest and greatest breakthrough.

The boring solutions out there are incredibly strong and resistant to attack if used correctly. It's hard to get precise figures, but probably 99 percent of attacks on encryption either fail or only succeed because the encryption was set up incorrectly in the first place.

It's as if the world provides you with an almost-free, super-high-quality safe in which to store your confidential paperwork; the most likely source of problems is you - if you forget to lock the papers away or if you leave the key in plain sight on top of the safe.

Keeping data at rest from traveling

There are various ways encryption comes into play in PCI. We classify encryption of data found in two different modes: encryption of data at rest, for example when the data is sitting in a file or database, and encryption of data in transit, when it is moving across a network.

Regarding PCI and encryption of data at rest, adhere to the following main requirements:

Keeping data in motion on course

Regarding PCI compliance and encryption of data in transit, respect these primary requirements:

Following the rules

The more sensitive the communications, the more important encryption becomes. For instance, traffic used to control a system (such as administrative access to a computer) is more important and more sensitive than just normal system access. So it's particularly important that communications controlling systems be encrypted.

These rules should help clear the techno-babble haze surrounding encryption. Following them means merchants, ISOs, MLSs and others can enjoy the many benefits of this technology while doing relatively little work. And that's a good deal for everyone.

Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. ( He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at or 801-599-3454.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios