If Visa’s Payment Security Forum held in Cairo this week is anything to go by, Data Field Encryption projects certainly seem to be on the agenda for banks in the Middle East, Africa, and Eastern Europe. More than 95% of those responding to a quick poll at the conference said they were either considering, evaluating, or were actively engaged in Data Field Encryption projects. Data Field Encryption incidentally, is Visa’s term for what others commonly refer to as end-to-end encryption, and what the PCI-SSC is now calling point-to-point encryption.
But how should Data Field Encryption projects be approached? The questions from the floor following the speakers’ sessions showed that the conference attendees were eager to learn more. Was tokenization or encryption the most cost effective long term solution? Where are the ends in “end-to-end”?
Deciding which approach to use where must seem daunting to those undertaking a new Data Field Encryption project to enhance payments security. This is not surprising when you consider that a large merchant or acquirer may have scores of systems currently storing card holder data. Which ones legitimately need to store cardholder data? Which ones can be taken out of PCI-DSS scope if a token can be substituted for the cardholder data?
The use of both tokenization and encryption may well be the answer for larger organisations, particularly in the cards payments space. It makes sense to use encryption to protect data in motion (from the point of capture at the POS to the merchant’s system or to the acquirer for example), data in use and also to protect the original card data at rest. Tokens can be shared with applications that do not need access to the card data.
However, with encryption now at the heart of many data security strategies, organisations do need to deploy good key management. It is the encryption keys that are used to render the data unreadable, so access to and protection of the keys is vital. Happily, as encryption is a mature technology, Hardware Security Modules (HSMs) are available, and can be used to meet these requirements. HSMs can ensure not only that data is effectively protected using encryption, but that the encryption keys are also well protected and are efficiently and effectively managed.