End-to-End Encryption: The PCI Security Holy Grail

Encryption seems like the simple answer to data security problems. So why is end-to-end encryption not ubiquitous? Implementation challenges abound. Here's how to handle encryption's 'key issues'.

1 2 3 Page 3
Page 3 of 3

3.6.7 Prevention of unauthorized substitution of keys

3.6.8 Replacement of known or suspected compromised keys

3.6.9 Revocation of old or invalid keys

3.6.10 Requirement for key custodians

While the PCI DSS give a good amount of background on the requirements, it is important and highly recommended to review additional documentation surrounding this topic. The PCI Council references the NIST Key Management publication (SP 800-57) as a guideline for managing cryptographic keys.

Conclusions

Encryption is often seen as a quick and dirty way to fix years of security neglect. Sometimes it is considered scary and difficult to understand. While encryption is extremely powerful, it can only protect your data when its requirements are properly defined, and its implementation is properly deployed.

If you follow that advice and ensure your technical processes align with your business processes, you will find that your encryption deployment is both effective and efficient. Hopefully this article has shown you that encryption is something to be embraced -- not to be intimidated by. ##

Ben Rothke, CISSP, QSA (ben.rothke@bt.com), is a Security Consultant with BT Professional Services and the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill Professional Education)

.

David Mundhenk, CISSP, PCI-DSS & PA-DSS QSA, QPASP (stratamund@sbcglobal.net), is a Security Consultant with a major professional services firm.

Copyright © 2009 IDG Communications, Inc.

1 2 3 Page 3
Page 3 of 3
The 10 most powerful cybersecurity companies