* Key storage
* Changing encryption keys
PCI DSS and Data Encryption
For starters, encryption should be seen as a fundamental element of an organization's risk management program. While technologies such as firewalls and IDS/IPS are de rigueur, encryption is still lacking in far too many enterprises.
While the PCI DSS requires encryption or some other obfuscation of the PAN, the payment industry as a whole still has some perceived shortcomings. Specifically, PCI does not require encryption of data in transit over a private or internal network. The current definition of a private network has been inferred by PCI standards documentation; however, it is still unclear how to make a determination in all cases.
For example there are some public networks such as those comprised of Multiprotocol Label Switching (MPLS) and Plain Old Telephone System (POTS) elements that are most clearly public in nature, yet the PCI DSS requirements make exceptions for these.
There is also some confusion on whether satellite-based data networks are considered public or private, and hence in need of encryption capabilities or not. The authors are of the opinion that satellite-based data networks should be considered public networks unless they can be proven that they are sufficiently difficult to easily intercept and decode the transmitted data. Note that the last part of this statement sounds incredibly subjective, and it is indeed so.
This subjectivity however is the position taken thus far regarding PCI compliance of satellite networks by the PCS SSC and major card brands. They are leaving the final determination of public or private satellite network status up to the individual PCI QSA (Qualified Security Assessor) reviewing relevant implementations. So there may indeed be some variance of opinions regarding actual compliance among different QSA's. Encrypting the data regardless of the above instances renders any confusion over relevant compliance a moot point.
Many vendors and compliance professionals are now touting the holy grail of data protection which some refer to as end-to-end encryption (E2EE). E2EE implies encryption of cardholder information at the card swipe or other input source (such as being manually entered into a field within a web-page) and the data remaining encrypted until its transmission to the payment processor for authorization and processing.
Getting E2EE working, especially on a global scale, for all payment processing represents a daunting effort significant both in scale and scope, but doing so would help to ensure a robust core data protection capability. It is hoped that the future will bring stronger E2EE partnerships and integration with all of the PCI entities -- from the processors, acquirers, card brands, and myriad merchants.