Article: E2EE


End To End Encryption (E2EE)

A number of our clients have been investigating employing End to End Encryption to assist with PCI DSS scope reduction.

If implemented correctly E2EE can significantly reduce the burden of PCI DSS compliance.


E2EE does not describe any specific technology or product. Within the context of PCI DSS compliance, it refers to a process where cardholder data is strongly encrypted (usually within a tamper-resistant hardware payment terminal) and transmitted to a PCI compliant service provider who then decrypts it for the purposes of authorisation or settlement.

This can have the benefit of reducing the scope of the CDE for the merchant, as the transmission of this encrypted cardholder data should not bring other parts of the merchant's network in to scope for PCI DSS. In turn this makes PCI compliance more straightforward.

The following statements must be true for an E2EE implementation in order to gain any scope reduction advantage:

1. The merchant using the E2EE solution can have no access to the encryption keys used to encrypt or decrypt the cardholder data.
2. The encryption used to protect the card data during transmission must be "strong" - that is, it must conform to the definition of "strong encryption" as described by the PCI Security Standards Council.

A very important point to note is that all other applicable PCI DSS requirements need to be met, and all other card processing routes need to be included when assessing. E2EE does not automatically enable a merchant to attest that everything is out of scope.

Advantages of E2EE

  • An opportunity to reduce  the scope of the CDE (card data environment) depending on E2EE’s implementation.
  • An opportunity to shift the challenging key-management processes (PCI DSS section 3.6) to a vendor or service provider.
  • Improved security of merchant’s internal network, by reducing a risk of eavesdropping between the cardholder data entry point and a service provider.
  • The use of more secure payment technology may enable participation in Visa's Technology Innovation Programme (TIP). This could substantially reduce mandatory compliance activity.

Disadvantages of E2EE

  • Upfront costs. Many E2EE solutions are “rip and replace” – legacy systems often cannot support cryptographic enhancements.
  • Transactions may incur a premium cost as compared to traditional services, depending on the E2EE solution.
  • Proprietary devices or software responsible for encryption of cardholder data can often only be maintained by the service provider, which may contribute to vendor lock-in or prolonged down-time.
  • E2EE can be perceived as a “silver bullet” solution. Other instances and uses of cardholder data can become apparent during an on-site assessment, which increases the scope of applicable PCI DSS requirements.

End-to-end encryption is only one aspect of PCI that Ambersail provides information on. If you are interested in getting timely updates on a range of subjects associated with PCI, please go to: http://lists.ambersail.net/listinfo/pci or contact us directly on +44 (0) 1925 60062.

 

Ambersail Information

  • We are an experienced QSA - performing audits for many years.
  • Communication is very important and we offer invaluable advice that often saves organisations time and money
  • We are completely independent and have no allegiance with product vendors. Our neutral stance allows us to make unbiased product selections for clients.
  • If required, we can independently liaise with your Acquirer to ensure you correctly interpret Acquirer requests.


© 2012 Ambersail Ltd