Cyber Secure Your Life!

Cyber Secure
On November 28th, along with Joshua Stone, owner of Digital Doc, I will be presenting on cyber-security. The event is hosted by the Montgomery Business Association. Josh Stone will be providing tips on online safety and privacy from a consumer perspective and I will be focused on guidance on integrating cybersecurity practices for home and business, how to identify and prioritize cybersecurity actions, and how to manage cyber risk. More information can be found on the ShopLocal Montgomery events page.

When: Tuesday November 28th, 7 PM
Where: Princeton Fitness & Wellness Center, 1225 State Rd, Princeton, New Jersey 08540
Who: Khürt Williams (Monkey Hill) and Joshua Stone (Digital Doc).

Is Encrypted Cardholder Data still Card Holder Data

Encrypted Cardholder Data – Out Of Scope? (PCI Guru)
Where stored encrypted CHD is out of scope is when a third party controls the encryption keys. This most often occurs with tokenization. Under a tokenization scheme, the CHD is sent to a third party who then securely stores the CHD and returns a token that links the CHD at the third party to the token stored by the merchant. If the merchant needs to make any subsequent charges to the account, the merchant sends the stored token to the third party and the third party substitutes the stored CHD for the token and the transaction is completed. But since the merchant does not have access to the token creation process, the token is out of scope because it is no longer considered CHD.
I am clear about scope. I am unclear about whether or not the encrypted CHD is still considered CHD after encryption.

According to this FAQ

The following are each in scope for PCI DSS:

  • Systems performing encryption and/or decryption of cardholder data, and systems performing key management functions
  • Encrypted cardholder data that is not isolated from the encryption and decryption and key management processes
  • Encrypted cardholder data that is present on a system or media that also contains the decryption key
  • Encrypted cardholder data that is present in the same environment as the decryption key
  • Encrypted cardholder data that is accessible to an entity that also has access to the decryption key

So my question is if the CHD is encrypted in transit (TLS 1.2) to the CDE, encrypted inside the CDE with a key received over TLS from an HSM isolated from the CHD database and on a separate network from the CDE, and then encrypted CHD is transmitted over TLS to be stored in the database, is the database in scope and is the encrypted CHD still CHD?

To clarify.

  • The database does not perform encryption and/or decryption of cardholder data, and does not perform key management functions and does not store the encryption keys.
  • The encrypted CHD stored on the database is isolated from the encryption and decryption and key management processes. HSM does not have access to database server, database server does not have access to HSM. The CDE is on a differenet network segment from the HSM.
  • The encrypted CHD stored on databse is not present on a system or media that also contains the decryption key. The decryption keys are stored in HSM appliance only.
  • The encrypted CHD stored on database is not present in the same network environment as the decryption key.
  • The encrypted CHD stored on the database is accessible to the entity that also has access to the decryption key.

In Person Authentication

It's Time to Let Go of Our Data (Daniel Miessler)
Because so many people have our information, and we can’t really change that information, we can no longer authorize transactions based only on having that data. It’s pretty obvious when you think about it. What we’re going to have to do is some sort of composite authentication, where you have multiple factors in place at once, and at least one of those will likely include a live visual component. Expect in-person authentication to become a lot more popular in coming years, with services like notaries getting used more frequently. And as the technology becomes available, expect to see digital forms of in-person identity validation as well—things like proving you’re at a particular location, doing bio-based auth, someone not validating that you are you unless they can see you and talk to you, etc.
Daniel Miessler’s response to the Equifax data breach — and data breaches in general — seems rational to me. Online verification of identity was always suspect and it makes sense that we move authentication back to the physical world. It’s not a perfect solution but I think it’s better than what we have now.