Chapter 8

Protecting Cardholder Data

It is easier to produce ten volumes of philosophical writing than to put one principle into practice.

—Leo Tolstoy

PCI standards require only disk storage encryption, and in some cases communication encryption. Since the core technology around payment card processing has fundamental security flaws, the payment application should encrypt the sensitive cardholder data wherever possible: in memory, at rest, and in transit. In addition, it's a good idea to implement the defense in depth principle — put in extra layers of protection wherever possible. For example, when sending data via a network, a payment application can encrypt the sensitive data elements using symmetric algorithms, and also encrypt the entire communication session by a transport security mechanism such as SSL, HTTPS, or IPSec. In theory, physical and logical security controls can form another layer of protection. However, they are not effective in the hazardous working environment of POS which is directly exposed to the public.

Data in Memory

The answer to questions about memory protection is simple: the sensitive cardholder data can't be completely safe if it is not encrypted before it is placed in memory. There are no existing reliable security mechanisms that would prevent memory scraping. If an attacker gains access to the POS hosting computer, the chances that the data will be leaked are very high because most of the operations (including encryption, decryption, and cryptographic ...