In a new document, "Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance" (PDF), the standards group offers guidance on what organizations should look for when acquiring and purchasing encryption technology to protect credit cardholder data as it is authorized and transported into a database.
Among other things, the new guidance helps clarify the concept of end-to-end encryption, offering the new moniker of "point-to-point encryption" (P2Pe).
"The first thing you immediately notice when you begin to look at these things is that there's really no standard for any of this stuff," says Bob Russo, general manager of the PCI Council. "You've got many [vendors] out there extolling the virtues of their 'end-to-end' encryption solutions, and you've got lots of confusion from merchants saying, 'Well, if I do this, then I'm OK, right?' In an effort to straighten this stuff out, we're looking to see if we can redefine that cardholder data environment and make this more meaningful for everyone out there."
During the past several years, some vendors have pitched end-to-end encryption as a way to eliminate the need to encrypt or tokenize database data for the purpose of PCI compliance. But as outlooks have matured, experts say, the question of how to encrypt data under PCI has become more complex.
"If you look at it from the database standpoint, there's a couple of ways that you address encryption of sensitive data -- but a lot of that works if you're only, say, a Microsoft shop," says Gary Palgon, vice president of product management for nuBridges. "The realization is that most organizations are heterogeneous, and data has to come in and out of databases. So if I was sending data over a secure channel to a database, the pipe is secure -- and I'm encrypting once it is in the database."
Securing all of those "pipes" can be costly and complex. P2Pe offers another alternative.
"This gives an option here -- applying the point-to-point says maybe a better method is encrypting it at the endpoint and then being able to suck it in and put it into the database already encrypted," Palgon says. "The industry is figuring out what works, but there are many instances where you want to encrypt the whole database, or certain columns in the database. And there are other examples where you want to encrypt before it even gets to the database." Palgon says some companies are adopting a model in which P2Pe handles the preauthorization encryption of data as it flies around the network -- and then tokenization is used to transform cardholder data into an unrecognizable form in the database, enabling it to be safely used postauthorization.
"It's important to recognize that when you swipe a card, you want to encrypt as soon as possible -- and then the encrypted data needs to be there to be used for the purposes of authorization," Palgon says. "For any processes postauthorization, that's where tokenization does a great job -- for things like a return system, or loss and fraud detection, or sales and marketing. I can reduce a whole lot of scope up front in my preauth by following P2Pe and can reduce a lot of scope postauthorization using tokenization."
Previously, some observers believed PCI would require a choice between P2Pe and tokenization, but the new guidance dispels that myth.
"[Before,] it was an either-or," Palgon says. "People kept saying, 'Which one is going to win out? Which one is the silver bullet?' What's happened over the past 12 months is a realization that it's really a situation of both working together."
Palgon leads the PCI Council working group that has made recommendations on a similar road map for tokenization technology. The council is expected to come out with that guidance sometime in November.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.