I was a bit taken aback yesterday when I heard that the much ballyhooed “end-to-end encryption” solution being promoted by payment processors as THE solution for PCI compliance has already been cracked. (Refer to ”Where does End-to-End Encryption for PCI End?” G00170703).
I should have expected it.
In this case, malware enters a retailer’s card reader where it poses as card transactions which are then dutifully encrypted and transmitted as part of the encrypted payment data stream to the payment processor. It is then dutifully decrypted by the processor, and then temporarily stored in the processor’s system. I’m not sure if the malware can be successfully transmitted to the payment card networks (e.g. VisaNet) as part of the payment stream. Probably (hopefully) not since presumably the malware bytes do not conform to the payment authorization data format standard that the card networks accept.
The lessons here are important ones:
- End-to-end encryption (which should actually be called point-to-point encryption) is by no means a panacea. A lot can go wrong from key mismanagement to transaction corruption.
- The lack of standards in this area is going to make it hard to keep the systems up to date. Instead of one standard way of responding to increasing security threats, each vendor will respond differently.
- Encrypted data streams can obviously not be inspected for threats and malicious software. That is clearly a major downside here.
- A layered security approach is always important. I’m a big believer in pattern recognition that detects abnormal activity of any kind.
Category: Uncategorized Tags: