Wednesday, 6 June 2007

Approach to Encryption within PCI DSS

Dave Whitelegg raises a point that’s been niggling me for a while. For all the good in the PCI DSS, the whole process gets considerably weakened by the Acquiring banks insistance on the transmission of data from merchant’s system to acquiring bank’s systems in plain text. Sure, the transmission channel is SSL encrypted over a point to point / VPN link but the data is still unencrypted and then transmitted (albeit over an encrypted channel). This is a subtle difference but important nonetheless.

From the title, Dave questions whether this means the “PCI Encryption Practice is flawed”. I say “no”, it isn’t flawed but the implementation of the solution to the requirement may well be. As I said in my comment on his blog, I need (and have been meaning to for ages) to study the PCI DSS with this issue in mind. But, logic dictates that the standard would require the data to be encrypted everywhere.

If this is the case then the Standard isn’t at fault, the implementation of the solution is.

I’ll look into this and give my thoughts in due course.

Posted by Andrew Mason at 13:31

Labels: ,

Subscribe to: Comment Feed (RSS)