Moulds, a data protection specialist for data-security firm Thales e-Security, says in an interview with Information Security Media Group that the industry is focused on the need for standardized practices that protect cardholder data, from the time it is accepted at the POS to the time the payment is settled with the acquiring bank.
Encryption can help protect data, but unless it's truly end-to-end, which is not the case in most retail environments today, card data can still be exposed, Moulds says.
The exposure of unencrypted card data was a focal point of recent Congressional hearings surrounding the Target and Neiman Marcus breaches. Both retailers were attacked by malware that ultimately exposed credit and debit data collected in the clear at the point of sale before it was encrypted as the transactions were processed (see Breach Hearings: How Did Security Fail?).
One reason end-to-end encryption is difficult to achieve is because managing the keys required to decrypt card data gets more complicated the more players that are involved, Moulds says.
"The real challenge, when it comes to deploying encryption, is keeping the keys secret," Moulds contends. The more entities that need to have access to the keys that decrypt card information, the more risk increases, he says. This is especially true in the payments chain, Moulds says.
"Really, it's all about the key management," he says. "And that becomes a significant thing to manage, and a burden."
During this interview, Moulds discusses:
- The Payment Card Industry Data Security Standard's requirements for data encryption and key management;
- How encryption and tokenization outside the scope of PCI enhances card security; and
- Why payments security hinges, in part, on key management.
At Thales eSecurity, Moulds serves as the vice president of product management and strategy. He has helped to redefine boundaries of encryption management for numerous global enterprises.