You should care about the new block cipher standard.Each and every time you use one of those point-of-sale devices what happens, your precious credit card information stored in that very reader.
The National Institute of Standards and Technology (NIST) has a new standard that is designed to protect your details (PDF). It’s been a tricky problem to address, as there was a mandatory requirement to retain the length and current format of the credit card numbers.
This allows for two alternatives for format-preserving encryption, to allow this data to be read and processed by applications but still protect payment card information from the bad guys.
We are entering an era of encryption by default.
The NIST solution
The NIST standard (SP 800-38G) creates new approach for “format-preserving encryption,” which makes long strings of numbers indecipherable in both binary and decimal formats.
Older NIST standards were designed to be applicable to just binary data. Using what is termed format-preserving encryption or FPE – there are two approaches: named FF1 and FF3.Each is a 128-bit block Advanced Encryption Standard (AES) that conforms to the new standard for block cipher algorithm.
The ‘smarts’ is that when this standard is applied the FPE-encrypted credit card number appears just like a credit card number. This allows for existing systems and hardware to continue to operate.
In the previous standard it was not possible to encrypt decimals and at the same time also allow system programs to read the number in that original format.
What drove the standard was to resolve credit card vulnerability. Interestingly, this approach also has a use case in medical records.This will allow personal information from medical records to be also protected.
Benefit for medical research
With every database, we need to have a unique key to search, index and locate information.Typically speaking a key is assigned; in countries like the USA a social security number is used.
The advent of this standard can ensure the requisite security and ensure privacy of records is maintained.I would expect that given the recent HIPPA decision to integrate their health standards with NIST that adoption will certainly occur. There will be increased focus on the critical need for cyber security for medical devices and the personal information that is stored.
Encryption by default
The dust from the and we are already seeing that Whatsapp chat and calls are now being encrypted. I believe that we have started entering an era where encryption by default becomes the norm.
In a recent CSO Roadshow on this topic, there was an expert opinion that encryption by default would eventually cover 75 to 80 per cent of all data.
Clearly there are performance issues to be overcome to enable this level of encryption in that regard. But in a time of increased data breaches and inability to insure fully against subsequent losses, it is somewhat inevitable that we start to see more encryption everywhere.
I’m a big believer in appropriate action and response.As managers we have to understand risk and manage this appropriately.
Right now I’m happy for my credit card and medical records to be secure.