Society of Payment Security Professionals - Payment Security Blog

PCI SSC Seeks standard for End to End Encryption? (UPDATE)

UPDATE:  I just spoke with Pieter Penning of PWC. I was unaware that it was his group that was conducting the end to end analysis for the PCI SSC.  I had assumed (we all know what they say about assuming  that it was not Pieter’s group.  Let me say that I am familiar with Pieter and his group and contrary to my earlier statements, his group is certainly well qualified to review PCI related technologies.   In spite of my best efforts and a few Jedi mind tricks, Pieter was as solid as a rock and would not provide any insight into their findings.  I look forward to their findings!!

I just read an article in the ETA Currents that stated that the PCI SSC is seeking a standard for end to end encryption.  While this is certainly a laudable goal, I do have to question that usefulness of the council defining the standard and vetting the technology when a number of very competent companies have had such solutions for several years and are experts at such technology.

In a previous life I had an opportunity to work with a government agency evaluating some new counter sniper technologies.  It was 1996 and I remember showing up to the briefing and looking around the room.  I was sitting with a number of other Snipers, Rangers, Recon Marines, and SF types while we listened to a group of DARPA engineers describe how the counter sniper systems would work.  These engineers were technically brilliant and more than one had a PhD in Computer Science or Electrical Engineering from MIT or some other top tier school.  After the briefing one of the engineers asked what we thought and, not being shy about my opinion, I told them that I thought I could easily get past their systems.  They looked at with surprise and, I suspect, some arrogance and asked me to explain.  I told them I would show them.  Without divulging too much about how the systems worked, suffice it to say that the systems were not able to accurately detect our activities.  While I would like to say that the reason they failed was because of some brilliant idea I had, in reality it was simply that the engineers, while technically brilliant, did not understand the fundamental aspects of sniping.  As such, they created this technology without knowing the tactics or techniques used by snipers and the “tricks of the trade”.  This is a good example of where theory does not always mesh with reality.

This example is provided because I think it is similar to what we are seeing now with the debate over end to end encryption.  Processors, Banks, and Gateways are experts at transaction processing in the real world.  My experience tells me that many also possess significant security expertise.  These are the companies that have developed data replacement technologies, encrypted magnetic stripe readers, data vault technologies and the such.  These companies have the practical knowledge of how transactions are processed in the real world, the constraints faced by merchants, and the challenges of securing data.  They live it on a daily basis.

While I do not question the theoretical expertise of the company engaged to evaluate the efficacy of such products, I fear that when the definition is finally published, we will be left shaking our heads and wondering where the definition came from.  There are a number of very technically adept organizations that have developed great security technologies for the payment card industry.  I would suggest that a working group of these folks could provide better insight into how to define end to end encryption than theorists.

In the article it states that: “Leach says the council expects PricewaterhouseCoopers’ report to help the industry ascertain how end-to-end encryption will help merchants satisfy certain security mandates. He notes that “it may remove the adherence to certain requirements because you are already meeting them through the use of a certain technology.”

At last check, PWC is not a QSA nor a forensic investigation firm for the card brands. This is certainly not to suggest that PWC does not have skilled technologists and capable PCI experts, rather it is an observation on the obvious.   It seems difficult to understand how a company that is not deeply involved in payment card security, or involved in the standard as a QSA, a merchant, bank, or service provider can effectively “ascertain how end to end encryption will help merchants satisfy certain security mandates.”

Having worked with a number of the product vendors that have created ‘alternative solutions’, I am familiar with MagTeks’ MagneSafe, ProPay’s MicroSecure, TrustCommerce’ TC Vault, Shift4’s Tokenization, as well as MerchantLink’s TransactionVault and VeriFone’s VeriShield, among others.  The folks that created these technologies are arguably some of the most technically adept I have ever had a chance to work with and certainly have a deeper understanding of processing than I could hope to achieve.  It is challenging to see how a person without as deep of an understanding can effectively evaluate the technologies.

In the Q3 issue of Secure Payments, we will be providing a product guide with 15 product descriptions of end to end solutions, as well as tokenization and other technologies.  Be sure to pick up a copy or check for it online at www.securepaymentsmag.com