Four steps to better encryption key management in the retail environment
When the PCI Security Standards Council released the Payment Application Data Security Standard (PA-DSS) in 2008, the security of payment applications took a big leap forward. Today, All retail ISVs providing payment applications must certify their products with PA-DSS (which requires encryption and encryption key management for applications that process credit card data). Merchants expect this level of certification in payment applications they use, and their customers expect personal information to be secured.
Yet time and time again we see news reports about retailers experiencing data breaches through their payment application software. These breaches tell us that PA-DSS certifications alone don’t always equal good security.
Here are four steps you can take on the road to better security:
1 ) Be Aware of Security Issues
In the rush to meet PA-DSS requirements for credit card encryption, many payment applications incorporated just enough technology to pass the certification requirements around encryption of sensitive data, but not enough to stay current with encryption key management best practices.
Do your payment applications incorporate critical components of encryption key management including:
- Tested and certified encryption key generation techniques
- Physical and logical protection of data encryption keys (DEK)
- Protection of data encryption keys by key encryption keys (KEK)
- Proper management of the life-cycle of encryption keys
- Certification of key management solutions to international standards such as NIST, FIPS 140-2, and KMIP
2) Use Security Best Practices
In order to protect customers from data breaches and prepare for evolving compliance requirements, retail ISVs should strive to meet these encryption and key management best practices:
- Use Strong Encryption
The Advanced Encryption Standard (AES) is the standard when it comes to data encryption. AES has been adopted as a standard by the US government and is the recommended encryption method for PCI, HIPAA/HITECH, GLBA and individual state privacy regulations.
- Use Key Management Best Practices
Your encryption is only as good as how well you protect the encryption keys. Encryption keys should be secured away from the encrypted data using an external piece of hardware such as a hardware security module (HSM).
- Use Certified Solutions
Always use NIST validated AES encryption and FIPS 140-2 certified encryption key management. These certifications ensure that their key management has been tested by a third-party against government standards and will stand up to scrutiny in the event of a breach.
3) Pick Your Partners Wisely
Townsend Security has redefined what it means to partner with a security company:
- With our NIST validated and FIPS 140-2 certified encryption and encryption key management solutions, retail ISVs can offer their customers easy, affordable, and powerful data security.
- Our dedicated team provides our partners with extensive training, back end support, marketing materials, and a cost effective licensing model. You focus on what you do best, and we’ll help you turn encryption and encryption key management into a revenue generating option to help build your business and protect your valued customers.
- We have more than 20 years of experience supplying encryption and key management solutions to over 3,000 companies worldwide.
- We help our customers achieve data privacy compliance at an affordable price and with a personalized touch.
4) Download the eBook “Overcoming Critical Security Issues”
This eBook resource is designed to give you the tools and information needed to have a high-level discussion about data security in your company. Click the button below to request your complimentary download!