Can software-based POS encryption improve PCI compliance?

Can software-based POS encryption improve PCI compliance?

In the wake of the recent Verizon report that shows that 80 percent are out of PCI DSS compliance between audits, some vendors are urging the PCI Council to consider approving software-based point-to-point encryption, in addition to the current hardware-based standard.

PCI-approved, hardware-based P2PE allows merchants to drastically shrink the systems subject to compliance, reducing both risks and costs, and will make it easier to stay compliant.

Self-destructing hardware is a "security bonus," but in general, hardware-based P2PE technology is not as useful for merchants, says Shift4 CEO Dave Oder, whose company is one of the largest software-based P2PE providers.

MORE ON CSO: What is wrong with this picture? The NEW clean desk test

"The vast majority of retailers who have P2PE in use today are using a software-based decryption method provided by Shift4 or one of our competitors," he said.

According to Oder, software-based P2PE, combined with tokenization, is a secure alternative to hardware-based encryption, and should be allowed under the PCI DSS standard."The trouble is, PCI is refusing to validate certain types of security solutions even though they are more secure and more useful to merchants than what is currently validated," he said.

Hardware-based encryption creates a potential single point of failure and is not designed to handle the level of transaction volume and uptime required in the payments industry, he said.

"The PCI Council has not released a software-based P2PE standard that would allow for both decryption and key management outside of a hardware security module," he said. "Much of the industry is waiting for that and the delay is harming merchants."

According to Shift4 marketing manager Nathan Casper, merchants with no encryption at all have a self-assessment questionnaire with more than 280 requirements. Merchants with hardware-based encryption have one with just 19 questions. Merchants with software-based encryption get the 280-question form -- but only answer those same 19 and put "not applicable" to the rest.

"The part that makes this frustrating to these large merchants is that they are almost always required to employ the assistance of a Qualified Security Assessor to oversee their assessment," he said. That's tens of thousands of dollars, or more, spent on someone checking the same "N/A" box 261 times.

Another vendor promoting a software-based encryption alternative is Irvine, Calif.-based Secure Channels, Inc., which offers both hardware and software-based solutions.

“There are software based solutions where the decryption key is hidden in the packet," said Secure Channels CEO Richard Blech. "There are means contained in the software to have a secure key exchange that completely bypasses the need for a hardware security module. Merchants are being harmed without this solution.”

However, according to Sam Pfanstiel, director of solutions at Atlanta-based Bluefin Payment Systems LLC, there is an excellent reason to stick with the hardware-based requirement.

"Through software-based encryption, you're performing encryption in memory, and that memory is highly susceptible to memory scraping," he said. "That is a vector of attack that has been used in almost every cardholder data breach of the last 18 months."

Hardware-based encryption, by comparison, puts the encryption mechanism -- the plain text data -- inside a hardware security module that self-destructs if tampered with.

"Bluefin stands firmly on the belief that only hardware-based encryption provides adequate controls to address the attack vectors prevalent in the industry today," he said.

Bluefin used to be on the other side, he added.

"When the PCI standard was first released, we had a software-based solution in place, and had to look at what PCI was recommending," he said. "We decided that the new standard represented better cardholder protection."

Two and a half years and several million dollars of investment later, Bluefin has replaced its software-based encryption with hardware.

"Ease of deployment is only a concern for encryption providers who fail to comply with the new standards and continue to use older technology to perform their encryption and decryption," said Pfanstiel.

Today, there are currently over 160 validated devices that support hardware-based encryption, he said. "And the list grows every day."

Recommended

It is difficult for the FBI to crack most smartphone encryption

The FBI is struggling to decode private messages on phones and other mobile devices that could contain key criminal evidence, and the agency failed to access data more than half of the times it tried during the last fiscal year, FBI Director Christopher Wray told House lawmakers. Wray will testify at the House Judiciary Committee ...

Texas Church Shooting: More Calls for Encryption Backdoors

US Deputy Attorney General, Rod Rosenstein, has decided to use the recent mass shooting at a Texas church to reiterate calls for encryption backdoors to help law enforcers. The incident took place at the First Baptist Church in Sutherland Springs, killing at least 26 people. Deceased suspect Devin Kelley’s mobile phone is now in the ...

FBI couldn't retrieve data from nearly 7000 mobile phones due to encryption

The head of the FBI has reignited the debate about technology companies continuing to protect customer privacy despite law enforcement having a search warrant. The FBI says it hasn't been able to retrieve data from nearly 7000 mobile phones in less than one year, as the US agency turns up the heat on the ongoing ...

Wi-Fi's Most Popular Encryption May Have Been Cracked

Your home Wi-Fi might not be as secure as you think. WPA2 -- the de facto standard for Wi-Fi password security worldwide -- may have been compromised, with huge ramifications for almost all of the Wi-Fi networks in our homes and businesses as well as for the networking companies that build them. Details are still ...

暂无评论

发表评论

您的电子邮件地址不会被公开,必填项已用*标注。

This site uses Akismet to reduce spam. Learn how your comment data is processed.