End-to-End Encryption: the PCI Security Holy Grail

One of the fascinating things to do when in New York City is to visit the Federal Reserve gold vault. The vault lies 86 feet below sea level, resting on Manhattan bedrock, and holds approximately 5,000 metric tons of gold bullion. The Federal Reserve Bank does not own the gold but serves as guardian of the precious metal, which it protects at no charge as a gesture of goodwill to other nations.

By Ben Rothke and David Mundhenk

Thu, September 10, 2009CSO One of the fascinating things to do when in New York City is to visit the Federal Reserve gold vault. The vault lies 86 feet below sea level, resting on Manhattan bedrock, and holds approximately 5,000 metric tons of gold bullion. The Federal Reserve Bank does not own the gold but serves as guardian of the precious metal, which it protects at no charge as a gesture of goodwill to other nations.

Obviously, the security measures to protect hundreds of billions of dollars of gold are intense. But even if a thief were to breach the underground defenses and avoid the marksmen, how would he get the gold out? Gold is dense, difficult to transport and heavy, with each bar weighing approximately 27 pounds. Combined with the impossible-to-negotiate downtown Manhattan traffic, those facts contribute to the vault being a safe and sound way to protect the gold.

The data stored within your IT infrastructure is also quite valuable. The challenge--how do you make your data like gold, so that it is difficult to illicitly move and use? The answer is, quite simply, encrypt it.

Data that is effectively encrypted is unusable to the party who recovers it if that party lacks the proper decryption key(s) and means to decrypt. Imagine if your case of of fifty 600-gigabyte backup tapes was lost in transit. If the tapes were encrypted, you would still want to find them. But if they were not encrypted, you need to call the lawyers and immediately initiate your incident plan.

Many of the data breaches of the past few years could have turned into non-incidents if the data had been encrypted. Most recently, web hosting firm Network Solutions warned over half a million cardholders that their transaction data may have been compromised. In a statement, the firm said it found unauthorized code on servers supporting some of its e-commerce merchant's web sites. They noted that "after conducting an analysis with the assistance of outside experts, we determined that the unauthorized code may have been used to transfer data on certain transactions for approximately 4,343 of our more than 10,000 merchant web sites to servers outside the company." At no point do they indicate that encryption was used.

The PCI DSS and encryption

PCI DSS Requirement 3 details technical guidelines for protecting stored cardholder data and the requirements for encryption. The PCI DSS has perhaps been the biggest boon for encryption since the creation of PGP. Section 3 provides the high-level details around encryption. At a minimum, PCI requires the PAN (primary account number) to be rendered unreadable anywhere it is stored, including portable digital media, backup media and logs.

Security
Loading...
 
SPONSORED LINKS
 

Making Consumer Two-Factor Authentication Simple and Cost-Effective

Mining the Cloud to Ease the Enterprise Compliance Burden

Solve Five Key IT Security Challenges with Cloud-Based Authentication

White Paper: Managed Security for a Not-So-Secure World

Secure Email and Web-Based Communication from Evolving Attacks

WagerWorks Takes Fraudsters Out of the Game using iovation

White Paper: A Security Blueprint Delivered From within the Network

Return on Information: Google Enterprise Search pays you back

ROI of Application Delivery Controllers

Webcast: Unleashing the Power of Customer Data

Disciplined Autonomy: Resolving the Tension Between Flexibility and Control

Enterprise Capture: Your Onramp to Business Process Automation

Cloud Computing--What is its Potential Value for Your Company?

Seven Design Requirements for Web 2.0 Threat Protection

Adobe® LiveCycle® solutions for business process automation

10 Ways Excel Drives More Value from Your SAP Investment

The Key to Proving and Improving the Value of IT to the Company

Unleash the Power of Java with Oracle JRockit Real Time

Taking the Service Desk to the Next Level

Return on Information: Google Enterprise Search pays you back. Get the facts.

VMware. The source for Business Infrastructure Virtualization.

ShoreTel tells businesses to untangle from competitors' complexity and turn to its brilliantly simple UC solution

See how AT&T can help protect your network.

Streamline IT Costs. Boost Performance with WAN Optimization.

Build your 1st app FREE with Force.com

Authentication as a Service by Forrester Research

Cloud-Based Authentication for Next-Generation Extranets

Mobile Security: The Essential Ingredient for Today's Enterprise

IDC White Paper: CCM for IT Compliance and Risk Management

Keeping Your Members Safe from Online Scams and Predators

Learn about the growing threat of insider data theft.

Upgrading to VMware vSphere with vWire

Maximizing website Return on Information with high-quality search

Gartner Magic Quadrant, Application Delivery Controllers 2009

Learn How Web Site Performance Impacts Shopper Behavior

Build a Foundation for Unified Communications

Removing the Barriers to IT Governance: How On-Demand Software Changes the Game

Should Your Email Live In The Cloud? A Comparative Cost Analysis

How Consumerization of IT Will Make Your Business More Productive

How does a software company save big with Green IT?

Translate business strategy into IT strategy and obtain maximum benefits.

eBook: How Can You Make Your People Productive Anywhere?

Mind the Talent Gap: Global Survey on IT and HR trends and challenges

"Enterprise-Proven" is the Prerequisite for Enterprise SaaS Portal Solutions

AT&T Synaptic Storage as a Service. Expand on demand

Trend Micro ranked #1 against real-world malware. Read more.

Webinar: Jump-start your in-house e-discovery with Ringtail QuickCull from FTI Technology

Top Five CIO Challenges

Read the RSA report: Security for Business Innovation

64-page prescriptive guide to security, compliance, and IT operations.

 
 
RESOURCE CENTER
 
buy a link »
Ads by TechWords