In the financial service industry, a controversial topic in the field of security and rule compliance is "encryption technology stores data and the encryption of transmitted data) and the confrontation between marking technology ". Because Rules comply with requirements such as the Payment Card Industry Data Security Standard pci dss) and FFIEC information security inspection requirements include requirements for encryption and data protection, enterprises are trying to find the best way to protect the security of cardholder data and other sensitive data. "End-to-end encryption technology" and "marking technology" are both ideal solutions, but each solution has its own advantages and disadvantages. Therefore, you need to carefully consider before investing in technology.
Let's start with encryption technology. End-to-end encryption means that static data needs to be encrypted and then encrypted during the shipping process until they finally reach their destination. If we use a well-known and trusted algorithm to encrypt data, end-to-end encryption technology can provide the highest level of data confidentiality.
For example, payment card business companies often use a special hardware security model HSM (3DES or other powerful algorithms) for encryption and decryption of the payment card PIN password. These models usually use physical locks and keys that only those with administrative permissions can access. In this case, the possibility of data leakage is relatively low. In another case, the credit card data is encrypted by 3DES, AES, or other algorithms on the PoS terminal at each outlet until the data is finally processed by the bank. Another advantage of encryption technology is that it is easier to integrate with existing PoS terminals, network and database solutions, as well as financial applications, because it has been available for a long time.
Unfortunately, end-to-end encryption is not that simple. First, people are often confused about how end-to-end technology is formed. If financial data is processed by different operating systems and applications in different transmission stages, the data may undergo multiple encryption, decryption, and re-encryption processes, this violates the original intention of the end-to-end encryption technology, because data is the most vulnerable in these operations. In many cases, for commercial reasons, people may need data or a part of the data. A common example is to keep the Payment Card Data for regular recharge and refund. In addition, centralized management of Encrypted Key storage is complex and expensive. In these cases, the labeled tokenization technology is more practical.
Working principle of tagging technology: After initial authentication or initial processing, it uses a special value or identifier to replace payment card data or financial account records. Some people think that this technology is a way to solve the inherent complexity of encryption in terms of implementation and management. The labeled solution is more flexible and simpler. If this technology is used, in many cases, the actual transmission is not real financial data, which eliminates the need to trade or use raw data. This identifier can be stored indefinitely, so that the value can be retained and used in transactions, or the actual data can be accessed anywhere thereafter. In most cases, enterprises outsource marking technology to companies that can process and control data, which also reduces the security management burden of enterprises to some extent.
However, such outsourcing may become a double-edged sword. Many large financial institutions will undoubtedly hesitate to outsource such security management technologies. Some specific policy and technical requirements may be incompatible with labeling, and it is difficult to locate and "mark" all financial data in the environment, they may not adopt marking technology. For some large organizations, financial data can be protected by simply encrypting the entire database or the entire storage environment. Even the data that administrators do not know is protected. The tagging technology relies on explicit modification of the data itself. If these encryption controls are removed to use tagging, it will inadvertently cause leakage or data loss. For these reasons, the tagging technology now seems to be most suitable for small enterprises with more flexible requirements or with more precise control over data-such as where data is stored and how data is used, and who is managing those identifiers and Identity Processing/storage programs.
Looking forward to the future, the financial service industry may not just choose one of these technologies. Although encryption and tag technologies have their own advantages and disadvantages, there are many opportunities for their coexistence. If the enterprise adopts the labeling technology, encryption technology is also required for the tagged servers and storage areas for security purposes. In addition, because tagging technology cannot cover 100% of all applications and sensitive financial data usage, encryption technology is still useful. Therefore, there is no simple solution. Whether it is done by the enterprise or outsourced to the supplier, we need to manage and maintain these two technologies.
- Analysis of token and end-to-end encryption which is more effective
- Analysis on network security and information encryption technology
- Information Security Management hype: exposing best practices and lies