PCI DSS Requirement 3 details technical guidelines for protecting stored cardholder data and the requirements for encryption. The PCI DSS has perhaps been the biggest boon for encryption since the creation of PGP. Section 3 provides the high-level details around encryption. At a minimum, PCI requires the PAN (primary account number) to be rendered unreadable anywhere it is stored, including portable digital media, backup media and logs.
For merchant data, if it were all encrypted, then PCI DSS compliance would be much easier to accomplish. Note however, that even if an entity would encrypt all of its data, it would still be required to be PCI compliant if involved in the storing, processing, and/or transmission of cardholder information. The PCI Standards Security Council (PCI SSC) has been adamant and clear that the act of encrypting cardholder information does not render those systems and data involved as out-of-scope with respect to PCI compliance.
PCI is the leading driver for application and database encryption, as any entity that is required to be PCI compliant needs to deal with encryption to protect cardholder information. But even with the significant security that encryption provides, it is not without its technical and management challenges, some of which include:
* Operating system and application vendors haven't made it easy and seamless to implement encryption, especially due to a lack of support for legacy systems
* Applicable laws/guidelines often conflict or fail to provide effective and consistent guidance
* Organizations implementing encryption often lack formal documentation of cryptographic processes and procedures
* Organizations implementing encryption often do not have a person or group who formally owns and is ultimately held responsible for proper cryptographic administration
* Costs / Performance Impacts
- Up-front and on-going system maintenance costs
- Encryption is often a performance hit it to systems and applications
- Costs and overhead associated with securely managing cryptographic materials
- Required executive level support for cryptography audit and compliance requirements
Encryption challenges are often manifest in databases - encrypting indexed data is one of them as detailed in the Oracle Database Security Guide [pdf link]. Other challenges include:
* Key management
* Key transmission