Encryption data discovery
Before you can start encrypting data, you need to identify precisely where all PCI and other relevant, requisite critical data elements are stored. This process should be preceded by having properly defined a formalized set of data classification and retention requirements. PCI and other data integrity compliance requirements should drive the criteria defining what is considered to be sensitive data, what constitutes acceptable protections for it, how long it should be retained, and how to securely destroy it when no longer needed.
An enterprise-wide audit of all data repositories should be completed, taking great care to ensure all possible data storage locations have been identified. Note that this is a significant undertaking for large enterprises, and the process can take a few months in larger organizations.
Some of the items to include:
* Create and maintain up-to-date network and infrastructure documentation that details all PCI related data flows as now required by the PCI DSS v1.2
* Manually review data flows within PCI POS application to find the origins of all PCI data collection including, but not necessarily limited to: card swipe data, cardholder information input into web pages or electronic forms, faxes, etc.
* PCI compliance staff should view relevant electronic data storage locations and verify they are not storing full track data, or what is also known as sensitive authentication data or magnetic stripe or chip data
* Validate any logical separation and protections between systems storing cardholder information and those that do not
There is no one size fits all or even one size fits most when it comes to data encryption. The method and type of encryption you decide to use is one that must be based on requirements specific to your organization. They should also be based upon industry standards and proven encryption algorithms as well as robust encryption key lengths. The authors can attest that the most successful encryption deployments are when the client drives the projects and brings in external expertise to assist when needed.
Disaster will often strike when clients have no idea of the encryption requirements and will look to encryption vendors to solve problems for them. Vendors can provide best practices and invaluable assistance, however their objectivity may be skewed; and they may be more interested in selling their product, rather than helping to achieve an optimal solution. Always remember that specific requirements must be driven by client requirements.
There are many different encryption types to consider, each with its own set of advantages and disadvantages. A list of some of the most common are: