Actu
PCI DSS will allow you to use cryptography, truncation, hash functions or index tokens for compliance
November 2008 by Ulf Mattsson, CTO, Protegrity Corporation
Cryptography, truncation, hash functions and index tokens.
These methods represent three radically different ways to render data unreadable:
1. Two-way cryptography with associated key management processes
2. One-way transformations including truncation and one-way cryptographic hash functions
3. Index tokens and pads
How are they different?
1. Two-way encryption of sensitive data is one of the most effective means of preventing information disclosure and the resultant potential for fraud. Cryptographic technology is mature and well proven. There is simply no excuse for not encrypting sensitive data. The choice of encryption scheme and topology of the encryption solution is critical in deploying a secure, effective and reasonable control. The single largest failure in deploying encryption is attempting to create an ad-hoc cryptographic implementation.
2. Hash algorithms are one-way functions that turn a message into a fingerprint, usually not much more than a dozen bytes long. Truncation will discard part of the input field. These approaches can be used to reduce the cost of securing data fields in situations where you do not need the data to do business and you never need the original data back again.
3. Tokenization is the act of replacing the original data field with reference or pointer to the actual data field. This enables you to store a reference pointer anywhere within your network or database systems. This approach can be used to reduce the cost of securing data fields along with proper network segmentation in situations where you do not need the data to do business, if you only need a reference to that data.
