One of my biggest beefs with the security technology industry and even with auditors and legislators has been to mindlessly push encryption as the solution to data theft problems.
To quote Bruce Schneier again:
The ultimate solution. Well, the payment application vendors, supposedly prodded by the likes of Visa and Mastercard, have been recording varying levels of details about payment transactions for 18 months. Thus, the credit card companies have been part of the problem here and with this requirement change, they can become part of the solution for once. They have a great racket...
It all depends on your threat model whether encryption solves your problem or not. If the data theft is due to an application or business logic flaw, then encryption is unlikely to do anything for you (e.g. an XSS attack can reveal encrypted data just fine...)
Group drafts rules to nix credit-card storage
No comments:
Post a Comment