20 October 2017

44975

Retired Member

3,170Posts 11,345,459Views 3,405Comments
Information Security

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

Cairo conference focuses on Data Field Encryption

30 September 2010  |  4479 views  |  0

If Visa’s Payment Security Forum held in Cairo this week is anything to go by, Data Field Encryption projects certainly seem to be on the agenda for banks in the Middle East, Africa, and Eastern Europe. More than 95% of those responding to a quick poll at the conference said they were either considering, evaluating, or were actively engaged in Data Field Encryption projects. Data Field Encryption incidentally, is Visa’s term for what others commonly refer to as end-to-end encryption, and what the PCI-SSC is now calling point-to-point encryption.

 But how should Data Field Encryption projects be approached? The questions from the floor following the speakers’ sessions showed that the conference attendees were eager to learn more. Was tokenization or encryption the most cost effective long term solution? Where are the ends in “end-to-end”?

Deciding which approach to use where must seem daunting to those undertaking a new Data Field Encryption project to enhance payments security. This is not surprising when you consider that a large merchant or acquirer may have scores of systems currently storing card holder data. Which ones legitimately need to store cardholder data? Which ones can be taken out of PCI-DSS scope if a token can be substituted for the cardholder data?

 The use of both tokenization and encryption may well be the answer for larger organisations, particularly in the cards payments space. It makes sense to use encryption to protect data in motion (from the point of capture at the POS to the merchant’s system or to the acquirer for example), data in use and also to protect the original card data at rest.  Tokens can be shared with applications that do not need access to the card data.

However, with encryption now at the heart of many data security strategies, organisations do need to deploy good key management. It is the encryption keys that are used to render the data unreadable, so access to and protection of keys is vital.  Happily, as encryption is a mature technology, Hardware Security Modules (HSMs) are available, and can be used to meet these requirements. HSMs can ensure not only that data is effectively protected using encryption, but that the encryption keys are also well protected and are efficiently and effectively managed.

TagsSecurityPayments

Comments: (0)

Comment on this story (membership required)

Retired's profile

job title
location
member since 2014
Summary profile See full profile »

Retired's expertise

Member since 2009
3119 posts3,405 comments
What Retired reads

Who's commenting on Retired's posts

Ketharaman Swaminathan
Dharmesh Mistry
Nicola Cowburn
Michael Wright
Charmaine Oak
Francis Chlarie
Raymond Lee
Deepthi Rajan
Melvin Haskins
João Bohner
Bob Lyddon