At its core the PCI Data Security Standard (PCI DSS) is nothing more than a series of guidelines that constitute security best practices. Companies that institute programs to better protect cardholder data can also leverage and extend these efforts throughout their business, ensuring that other sensitive customer, employee and partner data is better protected.

Section two of the PCI DSS standard (requirements three and four of the so-called “digital dozen”) mandates that cardholder data be encrypted when stored or transmitted over open networks. PCI DSS requirement 3.5 and 3.6 mandate that all “cryptographic keys used for encryption of cardholder data against both disclosure and misuse” and that companies must “fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data.”

Earlier this year, Gartner analyst Avivah Litan reported that PCI DSS has been a key driver in security-related spend in recent months (see: “PCI Compliance Remains Challenging and Expensive”). Companies who don’t demonstrate compliance or who experience a breach are paying big dollars as a result.

Yet despite PCI DSS, increased security spend and growing encryption deployments, one questions whether enterprise data is really any more secure? Big company names continue to appear in the headlines because of major breaches, which begs the question, do companies that deal with credit card and other sensitive data actually follow best-practices or even the PCI requirements when it comes to managing their encryption?

Let’s have a closer look. In the same report, Gartner recommends that companies encrypt data in transit—even when the data is being transmitted over internal, private networks. This goes beyond what PCI DSS requires, yet is certainly a best practice. The report also calls out the importance of properly protecting “decryption keys”, which for data in transit means “private keys”. This implies an inherent security risk in poorly managed private keys used to secure network traffic. Gartner states:

“The PCI standard does not require the encryption of data that flows over private enterprise networks; however, Gartner recommends that card-accepting enterprises consider this measure because it renders the data useless if it’s stolen (unless, of course, the thief has access to the decryption key).”

What are typical organizations currently doing to manage and secure their private keys? This becomes an especially important question given that the majority of data breaches have been executed from inside organizations. Let’s take a closer look. When SSL is used to encrypt data in transit, the certificate is used to authenticate the client to the server and then the public key contained in the certificate is used to encrypt a symmetric key that is used to encrypt the ensuing two-way communication. Thus, if you can gain access to the “decryption key”, which in this case is the private key that resides on the server, you can access the symmetric key and decrypt the data. All of this of course could be done asynchronously if the network stream was captured. Thus, if the wrong person has access to or obtains of copy of that key, then the data is at risk.

Sound far-fetched? Check out the attack vector Wired reported that the infamous TJX hackers exploited:

“In the spring of 2005, associates of TJX hacker Albert Gonzales hacked into the point-of-sale system of a Marshall’s clothing store in Minnesota. The hackers pointed an antenna at the store to grab data as it streamed over the store’s vulnerable Wi-Fi network, then used the data to gain access to the central transaction database of TJX, Marshall’s parent company.

Similarly, in mid-2007, Gonzalez’s gang gained access to point-of-sale servers at Dave & Buster’s restaurants and installed packet sniffers to siphon card data as it was transmitted to corporate computers and others for authorization.”

The need to protect these keys with good key management and access control systems from bad guys (the “thief” referenced in the Gartner quote above) becomes very interesting in the context of Gartner’s other finding:

“The Gartner survey found that retailers are mostly concerned about unauthorized access to their systems by insiders, not outsiders…. Insiders typically cause the most damage because they know where to find sensitive corporate personal, financial account and other information.”

And

“As you secure your enterprise systems, remember that insiders with privileged and knowledgeable access can cause significantly more damage than an outside hacker acting alone.”

In most organizations, these private keys are not being protected—from either external or internal threats. In fact, despite best practices and specific key management requirements in the PCI DSS standard, keys are seldom rotated and are frequently protected with the same password across hundreds of keystores.

Who’s managing the private keys to your kingdom?