In-Depth
Fixing the PCI Encryption Problem
Fines and fees are looming after the September 30 PCI compliance deadline. Still, less than half of merchants report full compliance with PCI security requirements, and encryption failures contribute to four out of five failed PCI audits. Why can't companies get encryption right? Here are five key steps for overcoming encryption hurdles.
Why don't the large merchants and service providers who process credit card data comply with the Payment Card Industry Data Security Standard (PCI DSS) yet?
Numerous explanations and rationales abound—from lack of enforcement evidence to a history of compliance deadline extensions, to the sheer cost and difficulty of applying very specific security controls to large companies' complex infrastructures.
Visa does now appear to be turning up the heat. Last year, the company says it levied $4.6 million in PCI-related fines. This year, it announced a $20 million fund to reward companies which met PCI requirements. Recently, however, Visa also disclosed that, as of August 31, 2007, only 44 percent of Tier 1 merchants, and 38 percent of Tier 2 merchants, currently comply with PCI DSS. (Those tiers comprise the largest organizations which annually process 6+ million credit card transactions, and 1–6 million transactions, respectively.) Today, non-compliant organizations reportedly face fines of up to $500,000 and may not have access to Visa's best interchange rates.
Despite the apparent enforcement push, many organizations are encountering very real challenges when they pursue the PCI DSS. Some of this involves—as seems to happen with practically any standard today—unclear guidance and the numerous revisions required to "clarify" these instructions. "Publishing a standard and providing little to no guidance for organizations on how to implement the technology to achieve compliance will almost always produce poor results," notes Chris Farrow, director for Configuresoft's Center for Policy and Compliance.
Even as the guidance is clarified, however, large organizations also face numerous technical challenges in PCI implementations. For example, in a study of 50 large companies' recent PCI assessments, VeriSign found that the leading cause of PCI non-compliance, contributing to 79 percent of all adverse audit findings, was a failure to encrypt sensitive credit card data.
The PCI standard requires companies to make stored credit card data unreadable, both in transit and at rest, which typically involves encryption. "Encryption is a key component of the 'defense-in-depth' principle that the PCI attempts to enforce through its requirements," notes the VeriSign study. "Even if other protection mechanisms fail and a hacker gains access to data, the data will be unreadable if it is encrypted."
Scaling PCI
Making stored credit data unreadable is an obvious problem. What is preventing companies from simply encrypting the data? "One of the major obstacles or challenges for the Tier 1 is just the magnitude in size of the organizations," says Steve Schlarman, chief compliance strategist at Brabeion Software. For example, he notes that Brabeion's biggest PCI-related customer is no e-commerce site, bank, or merchant, but rather $210 billion Chevron, which owns or has stakes in almost 26,000 gas stations, each of which utilizes point-of-sale (POS) systems to capture, transmit, and temporarily store credit card data. All of those systems must be made PCI-compliant.
In addition, many organizations—especially those using POS systems—also rely on extensive networks of service providers or acquiring banks to help translate and correctly route credit card data. All of those organizations must also be made PCI DSS compliant.
Encryption: Start by Mapping Data Flows
Before companies can encrypt all of this PCI-related data, however, they first must know where it is. Accordingly, most experts recommend locating all PCI data as the first step in any PCI encryption program.
"First tip? Map your data flows," says Branden Williams, director of VeriSign's PCI Practice. "Understand where every piece of card data is acquired from, transmitted to, stored, and disposed of."
Next, don't just apply encryption to every one of those processes. "Start asking the hard questions," Williams says. "Why do you need the data? What are you using it for? What would you do to accomplish this if you did not have access to this data anymore?" Indeed, one of the easiest ways to enable PCI compliance is eliminating as much stored information as possible, thoroughly restricting and monitoring access to data that is stored, and automating the timely deletion of unnecessary data.
Automate PCI Data Detection
Mapping data flows is an ongoing process, and technology can help. "There are many data protection tools out there to help search for data in your enterprise to find hidden data stores, or employees violating compliance," says Williams. "This will ensure that a lost laptop does not lead to a breach."
Tools can also help identify spreadsheets which store sensitive credit card data, which is otherwise quite difficult to do manually. "An organization can tell you where their SQL or Oracle database is, but it's very difficult for them to tell you where all of their spreadsheets are," says Farrow.
Companies should be aware that PCI-regulated data may exist in surprising places, such as in development, QA, and test environments. "We've seen situations where developers have custom-built applications that basically did captures of credit card numbers going over the wire and just played those in a loop—this recorded, live data—inside their development environment," says Farrow. Such data may reside in test environments indefinitely, and this makes it a security threat, as well as a PCI risk.
Select Encryption Technology
After identifying how PCI data flows, and where it resides, companies must answer difficult technical questions, such as whether to apply encryption at the database, disk, or file level. "Which is the right one? It's something they haven't had experience with in the past, so it's something they have to understand" before purchasing the encryption technology and updating systems, says Michael Gavin, security strategist for Security Innovation.
In other words, expect a significant learning curve when selecting an encryption technology and adjusting systems and business processes that rely on or touch credit card data. "It's not just something new; it's changing a process that's been in place for a while, so it's non-trivial," he says. Furthermore, he says, "the expertise is not as common as it needs to be."
Consider Obfuscation
Encryption isn't the only approach to protecting credit card data when in transit or at rest. Strictly speaking, the PCI standard doesn't require encryption, but rather that companies make credit card data unreadable. Options include truncating the stored numbers, or utilizing one-way hash algorithms. Properly implemented, these approaches could cost less and be easier to manage, at least in certain circumstances, says Williams.
For example, he notes VeriSign helped a major fast-food chain begin using "a one-way hashing algorithm to transform card numbers into strings of code that uniquely identify each card account without revealing the account number itself." Hence, the company now stores the hash as a record key and performs all necessary business processes by using that hash. As a result, the company has improved its security posture by not storing or transmitting actual credit card numbers.
Aim for Security
There's no doubt that rendering credit card data unreadable is a challenge. Accordingly, many companies are studying not just encryption in the context of PCI challenges, but also a better approach to information security as a broad discipline. "We've found that the really successful folks use regulatory or external pressures to drive the business improvement processes," says Farrow.
By itself, encrypting PCI data might not seem worth the investment, despite the threat of $500,000 fines. Seen as part of a broader program for ensuring the integrity of all sensitive enterprise data, however, encryption and other security controls intrinsic to PCI compliance, just make good business and security sense. Cost-of-compliance studies have shown that organizations with good IT programs and processes in place typically spend less on compliance than organizations with less well-management systems. And that makes sense, since most regulations are developed to mirror (not lead) IT best practices.
"Aim for security," says Gavin. "Get compliant for free."
About the Author
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.