Sep 03, 2010
This educational, unbiased white paper cuts through the techno-babble and discusses how to select appropriate software to meet PCI requirements for encryption and key management. It is intended to provide the information you need to make an intelligent cryptographic choice.
PCI lists broad requirements for protecting credit card data, both in storage and in use, with encryption the prescribed linchpin for security. While cryptographic options for data in motion are well defined, as SSL/TLS is built into platforms and network devices we use, secure data storage options are far more esoteric. The basic requirement is to use "strong cryptography," but there are lots of algorithms, dozens of tools, and many ways to deploy each of them. Strong cryptography is often misapplied as the security model is inappropriate for the business use case. The wrong choice leaves data accessible in clear text, resulting in wasted investment and persistent vulnerabilities.
In this paper, we present the information you need to determine the right strategy for your situation. This paper will:
• Demystify security goals, technologies and best practices and put them in perspective
• Discuss encryption options, what problems they can be expected to solve, and the associated tradeoffs
• Discuss supporting systems - such as key management - and the effect on security and management
• Provide a selection checklist