Pci Pa Dss Draft Does Away With Requirement For Persisting Credit Card Data
One of my biggest beefs with the security technology industry and even with auditors and legislators has been to mindlessly push encryption as the solution to data theft problems.
To quote Bruce Schneier again:
The ultimate solution. Well, the payment application vendors, supposedly prodded by the likes of Visa and Mastercard, have been recording varying levels of details about payment transactions for 18 months. Thus, the credit card companies have been part of the problem here and with this requirement change, they can become part of the solution for once. They have a great racket…
I did a very detailed decision tree previously that I’ll have to get out there for helping design systems with privacy in mind decide what they should store and if they do store it, how long to store it and how to protect it. The flow starts with the question: Do you really need to store this data? If yes, the next question would be: For how long? If you start with encryption, you miss out on even asking these questions which could result in _more security by design_ and _lower risk_.
It all depends on your threat model whether encryption solves your problem or not. If the data theft is due to an application or business logic flaw, then encryption is unlikely to do anything for you (e.g. an XSS attack can reveal encrypted data just fine…)