Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:55 PM

PCI Council Offers Guidance On Point-To-Point Encryption

Retail standards organization helps clarify where and when to encrypt credit card data

Confused about the encryption requirements under the Payment Card Industry compliance guidelines? You're not alone. But earlier this week, the PCI Security Standards Council issued some guidance that could help.

In a new document, "Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance" (PDF), the standards group offers guidance on what organizations should look for when acquiring and purchasing encryption technology to protect credit cardholder data as it is authorized and transported into a database.

Among other things, the new guidance helps clarify the concept of end-to-end encryption, offering the new moniker of "point-to-point encryption" (P2Pe).

"The first thing you immediately notice when you begin to look at these things is that there's really no standard for any of this stuff," says Bob Russo, general manager of the PCI Council. "You've got many [vendors] out there extolling the virtues of their 'end-to-end' encryption solutions, and you've got lots of confusion from merchants saying, 'Well, if I do this, then I'm OK, right?' In an effort to straighten this stuff out, we're looking to see if we can redefine that cardholder data environment and make this more meaningful for everyone out there."

During the past several years, some vendors have pitched end-to-end encryption as a way to eliminate the need to encrypt or tokenize database data for the purpose of PCI compliance. But as outlooks have matured, experts say, the question of how to encrypt data under PCI has become more complex.

"If you look at it from the database standpoint, there's a couple of ways that you address encryption of sensitive data -- but a lot of that works if you're only, say, a Microsoft shop," says Gary Palgon, vice president of product management for nuBridges. "The realization is that most organizations are heterogeneous, and data has to come in and out of databases. So if I was sending data over a secure channel to a database, the pipe is secure -- and I'm encrypting once it is in the database."

Securing all of those "pipes" can be costly and complex. P2Pe offers another alternative.

"This gives an option here -- applying the point-to-point says maybe a better method is encrypting it at the endpoint and then being able to suck it in and put it into the database already encrypted," Palgon says. "The industry is figuring out what works, but there are many instances where you want to encrypt the whole database, or certain columns in the database. And there are other examples where you want to encrypt before it even gets to the database." Palgon says some companies are adopting a model in which P2Pe handles the preauthorization encryption of data as it flies around the network -- and then tokenization is used to transform cardholder data into an unrecognizable form in the database, enabling it to be safely used postauthorization.

"It's important to recognize that when you swipe a card, you want to encrypt as soon as possible -- and then the encrypted data needs to be there to be used for the purposes of authorization," Palgon says. "For any processes postauthorization, that's where tokenization does a great job -- for things like a return system, or loss and fraud detection, or sales and marketing. I can reduce a whole lot of scope up front in my preauth by following P2Pe and can reduce a lot of scope postauthorization using tokenization."

Previously, some observers believed PCI would require a choice between P2Pe and tokenization, but the new guidance dispels that myth.

"[Before,] it was an either-or," Palgon says. "People kept saying, 'Which one is going to win out? Which one is the silver bullet?' What's happened over the past 12 months is a realization that it's really a situation of both working together."

Palgon leads the PCI Council working group that has made recommendations on a similar road map for tokenization technology. The council is expected to come out with that guidance sometime in November.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-09-16
IBM Sterling File Gateway through is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 158413.
PUBLISHED: 2019-09-16
Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.
PUBLISHED: 2019-09-16
Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.
PUBLISHED: 2019-09-16
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. An unsafe interaction with logrotate could result in a privilege escalation
PUBLISHED: 2019-09-16
The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.