Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Can software-based POS encryption improve PCI compliance?

Maria Korolov | March 18, 2015
In the wake of the recent Verizon report that shows that 80 percent are out of PCI DSS compliance between audits, some vendors are urging the PCI Council to consider approving software-based point-to-point encryption, in addition to the current hardware-based standard.

"Through software-based encryption, you're performing encryption in memory, and that memory is highly susceptible to memory scraping," he said. "That is a vector of attack that has been used in almost every cardholder data breach of the last 18 months."

Hardware-based encryption, by comparison, puts the encryption mechanism -- the plain text data -- inside a hardware security module that self-destructs if tampered with.

"Bluefin stands firmly on the belief that only hardware-based encryption provides adequate controls to address the attack vectors prevalent in the industry today," he said.

Bluefin used to be on the other side, he added.

"When the PCI standard was first released, we had a software-based solution in place, and had to look at what PCI was recommending," he said. "We decided that the new standard represented better cardholder protection."

Two and a half years and several million dollars of investment later, Bluefin has replaced its software-based encryption with hardware.

"Ease of deployment is only a concern for encryption providers who fail to comply with the new standards and continue to use older technology to perform their encryption and decryption," said Pfanstiel.

Today, there are currently over 160 validated devices that support hardware-based encryption, he said. "And the list grows every day."

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.