Gartner Blog Network

On Encryption and PCI DSS Challenges

by Anton Chuvakin  |  September 14, 2011  |  2 Comments

Here is an interesting piece of research just published by another member of SRMS team, Mario Boer: Comparing Endpoint Encryption Technologies.”

The document “provides an overview of the various technologies available for endpoint encryption and their strengths and weaknesses, thus enabling security architects to revalidate their architecture.” I am highlighting it here due to its relevance to PCI DSS projects as well as overall value for people deploying endpoint encryption for regulatory and other purposes.

While cardholder data is supposed to be safely stashed away on secure servers, it often finds its way to desktops, laptops, tablets and other mobile devices (even excluding the recently-fashionable mobile payment “terminals” made out of iPhones Smile). Thus the question of endpoint encryption comes to the forefront of both PCI DSS assessment and control implementation projects. In fact, many organizations have endpoints in scope for PCI, for various reasons, and thus likely need to encrypt cardholder data there.

Some of my favorite highlights follow below.

PCI DSS should rarely (if ever) be the sole factor for choosing encryption. In fact, Mario’s document lists two  requirements most useful when selecting encryption:

  • “Identify compliance requirements. These may originate from privacy and data breach laws or other sources.
  • Conduct a risk assessment that determines the sensitivity of information that is, or could be, stored on endpoints and the impact unauthorized access to such information may have on the organization”

PCI DSS  also drives some of the reporting requirements for encryption solutions. Specifically, “being able to report on the encryption status of a specific device that has been stolen or lost may be essential” for many mandates and regulations.

One of the common challenges when encrypting data for PCI is choosing between full-disk encryption (FDE) and file/folder encryption. The document has extensive discussion of this choice, such as by listing the fact that in one case the encryption is more transparent (FDE), while in the other case it better supports interoperability (file/folder).

And, obviously, there is discussion about dealing with “evil maids” there: “The evil maid has physical access to the device over an extended period of time. This actor may attempt to install malicious software or hardware devices such as keyboard sniffers and can physically analyze or copy the device. The evil maid can use specific results (login credentials) from earlier encounters to access the device”…

Finally, as we say in the PCI book, despite all the encryption considerations “the best way to protect the data for PCI DSS compliance is to delete it.”

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: encryption  pci-dss  security  srms  

Tags: encryption  srms  

Anton Chuvakin
Research VP and Distinguished Analyst
8 years with Gartner
19 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Thoughts on On Encryption and PCI DSS Challenges

  1. […] On Encryption and PCI DSS Challenges Categories: Uncategorized Tags: architecture, security-architects, strengths, the-various, […]

  2. […] On Encryption and PCI DSS Challenges Categories: Encryption, Uncategorized Tags: architecture, Encryption, security-architects, […]

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.