Encryption is the best way to protect payment card transaction data

The PCI Security Standards Council (SSC), which drafts many payment card industry security standards, meets annually in Europe, Asia-Pacific and North America to share new standards, gather feedback from the community, and discuss the burning issues of the day. Security professionals who have to comply with PCI standards need to stay abreast of these updates.

What follows is a summary of key points from those meetings that are relevant to the security community, including point-to-point encryption (P2PE), encryption in the cloud, and small business compliance.

Encryption is still key, but not always implemented

I was happy to see that data devaluation, including encryption and tokenization, was front and center in the keynote address at the Vegas and London meetings. Criminals have been rather busy over the past couple of years as 2.6 billion data records were compromised in 2017 alone, according to Gemalto’s Breach Level Index.

Less than 4 percent of breaches had some sort of data devaluation in place, such as encryption. Said another way, 96 percent of breaches had no encryption in place at all. If it has value, devalue it. If it’s important to you, encrypt it!

Troy Leach, PCI CTO, also spoke about the importance of point-to-point encryption (P2PE), as well as new solutions and programs such as Secure PIN on COTS (SPoC), a software-based PIN entry standard for commercial off-the-shelf devices; 3-D Secure SDK, software for building cardholder authentication for merchant mobile apps; and the coming Contactless Card Standard, which describes how contactless cards and terminals should work.

Devaluation of data might be your cheapest protection

Stephen W. Orfei, former PCI SSC general manager, and in the spirit of full disclosure, now a member of Bluefin’s Product Advisory Board, advocates for PCI-certified P2PE in conjunction with tokenization. “The attack vectors really haven’t changed much: Weak passwords, SQL injection, remote access attacks, man in the middle, malware variants and, of course, spear-fishing attacks have evolved compliments of social media,” he says.

“The cost to defend against these attack vectors and required organizational discipline is staggering, perhaps unmanageable for most,” Orfei continues. “I have always advocated for devaluing the data. The goal ought to be security and resilience! You can survive these attack vectors if the bad guys can’t read or monetize your data – they are off to the next target. Bottom line: you’re going to be breached, the question is – are you going to be compromised?”

Orfei led the PCI Council during a period of solution innovation including P2PE and tokenization, and now he says it’s all about driving market adoption. These solutions can only protect if they are in place. He maintains that encryption at the point of entry is vitally important.

If you are going to implement encryption, it’s best to implement PCI-certified encryption solutions. Orfei doesn’t expect to see any radical changes to PCI’s P2PE Solution standard in version 3 next year. He does, however, expect to see changes to the program that make it easier to implement and manage. P2PE Solutions under version 2 are rock solid. It’s not the time to gold plate the solution; it’s time to get it implemented. Some minor changes to the P2PE Solution Program can help streamline that process.

P2PE proliferation

I had the honor of putting together panels on the topic of P2PE at both the North American and European PCI conferences. For Las Vegas, panelists were Dan Fritsche, moderator and Coalfire Solutions principal, Bill Bolton, VP IT for The Honeybaked Ham Co., and myself, Bluefin Chief Strategy Officer and Founder. 

The mission for the panel was to present a live case study that brings together the main parts of a successfully implemented P2PE Solution. In this case, Bluefin was the P2PE solution for Honeybaked Ham and Coalfire was both the P2PE assessor for Bluefin and the PCI DSS assessor for Honeybaked Ham. All three parties had intimate knowledge of the process, from start to finish.

Honeybaked Ham has over 1,100 P2PE-enabled devices across the country at its and quick-serve restaurant locations. Since this solution was implemented over the past few years, it was assessed initially under P2PE version 1.1 and then again under version 2.0. P2PE has a lot of moving parts, and most of them are hardware-based. Proper planning, quick response, logistics, fulfillment and coordination, as well as flexibility and constant communication, are key.

Fritsche brought up the discussion of P2PE and its impact on the cloud. P2PE solutions can significantly assist with security and compliance when an organization is moving to the cloud. Ensuring that the card data is encrypted on the ground in the device before it is sent into the cloud for handling can make an enormous difference when it comes to the risks that a company assumes, as well as its overall security and compliance posture, costs and ongoing management complexity.

When asked why he chose PCI-certified encryption instead of a non-listed encryption option, Bolton said that a core part of their company mission is to take care of their customers. Which includes taking care of their customers’ card data and protecting the investment that their franchisees have made into the brand as well.

Fritsche and I were both on the London panel along with Rodney Farmer, both a European Association of Payment Service Providers for Merchants (EPSM) board member and a member of the PCI Board of Advisors, who joined us to represent the merchant and merchant service provider perspective in Europe. 

AES DUKPT ratification

An exciting change to the P2PE solution is the ratification of Advanced Encryption Standard derived unique key per transaction (AES DUKPT) by the X.9/ANSI. Currently, most certified P2PE solutions use Triple Data Encryption Standard (TDES) DUKPT. DUKPT makes sure that each time a card is swiped, dipped, tapped or typed into a device that it uses a unique, strong encryption key. This added security has the benefit of frustrating the heck out of hackers and is a vital part of the data devaluation process.

Using a unique key for each transaction also solves a difficult-to-manage compliance requirement. It is required that encryption keys are rotated every couple of years to mitigate risk. DUKPT is perfect for this because the key rotates with each transaction. This is a clear benefit as it means that devices in the field don’t have to be re-keyed every couple of years. Imagine if you had 20,000 devices in the field and you had to bring them all back in every two years or perform remote key injection processes on each one. Thankfully, DUKPT relieves this logistical issue and results in higher security.

One issue with TDES is the keyspace. Only a million or so keys can be derived from the base key. So, after a million transactions, the device has to be re-keyed. For most merchants, this can be ten years or more, which is plenty of time. In fact, most devices get old, break, are depreciated or are refreshed with newer devices that are faster and more feature-rich long before they run out of encryption keys. However, think of high-volume merchants like Transport for London (TFL), which manages the Tube/Underground which I made use of all week across London. Millions of people go in and out of those terminals so the encryption keys in TDES DUKPT could be very quickly used up.

AES DUKPT is so important because, on top of being even harder to crack (AES is stronger than TDES), the keyspace is a couple of billion in size. This solves a key issue (pun intended) for high-volume merchants such as kiosks and transportation turnstiles.

P2PE solutions needed for small merchants

As mentioned above, Farmer represents EPSM, an organization that advocates for and brings together its constituents. He also sits on the PCI Board of Advisors representing merchant service providers across Europe. He brought to light the positive impact that PCI-certified device encryption can have on small merchants.

For the last few years, there has been a much-deserved discussion around what to do to protect small merchants. Handy and helpful educational materials have been created to distill down the main points that do the most good for small merchants. Is education and awareness enough? Many small merchants probably don’t know how to spell PCI, and many feel that the highest risk to their business is going out of business, not a card data compromise.

Farmer advocated for P2PE solutions for small merchants. If the device encrypts the data, then it doesn’t matter if a small merchant didn’t choose a strong password on their PC, or if they left a back door open, didn’t download an anti-malware update, or accidentally clicked on a phishing email. Data devaluation is the perfect security partner for small businesses and may well represent the best answer on how to protect them. I wholeheartedly agree with Farmer.