Why credit card stystems will always be in scope
There is a growing trend in the retail industry for some merchants and technology providers to hope that someday the PCI standard will give guidance that says, "If you implement this new silver bullet, your systems will be completely out of scope."
While they are not the first, the latest group trying to pull this off is the people touting their Point to Point (P2P) encryption technology with or without tokenization. In this post, I am not going to go over the details of how these technologies work. The important part of both of these technologies is that they help merchants reduce their risk associated with storing credit card data by either making it impossible to read if it is stolen or by removing it from the environment completely.
As a security firm, we highly recommend and endorse these technologies as being a good way to thwart Internet hackers, who are out there trying to steal credit card data. What we hate to see in the industry are companies that try to claim that after implementing a set of technologies, the merchant is no longer in scope for PCI. This is simply not the case because even the best technology cannot remove all of the ways that credit cards are stolen (or mitigate all that PCI requires).
I recently had this discussion with a manufacturer of one of the P2P technologies that is gaining traction in the industry. Since they cannot defend themselves in this post, I will be fair and not list any names. To summarize our conversation, the P2P vendor was positive that it would be impossible for a hacker to break the company's encryption technology. Again, I do not want to dive into a technical discussion, so just to clarify, the encryption technology changes the credit card data so that it is unreadable without the decryption key. The decryption key is secret and nearly impossible to guess, so the data is safe once it is encrypted (is the argument).
On the face, this argument is not valid because credit card data could be obtained before the P2P system encrypts it, or there might multiple avenues for storage (not just POS). However, for the sake of this post, let us simply assume that as long as the key is secret that the data is secure. There have recently been two serious breaches related to security key management. One of them was at the security company RSA that makes a wide range of security products including security key management. The bottom line, several "secure" installations were hacked as a result of the RSA breach. Also, the SSL certificate provider DigiNotar was also breached. This means that if the P2P system used one of their certificates a hacker could potentially gain access to the system and decrypt those credit cards in transit.
The bottom line is this – P2P is an excellent technology that protects credit cards reliably. Hackers will have a hard time gathering the data, but to assume that things like firewalls, anti-virus programs, policies and procedures, physical security, and all of the other things that PCI requires will suddenly become obsolete is not likely going to happen any time soon.
Brad Cyprus Bradley K. Cyprus has more than 20 years experience in the security industry. He manages the development of in-house solutions to validate compliance, and he is a resource that Vendor Safe customers can rely upon to help interpret the PCI standard. www