When answering PCI compliance questions about encrypted data, examine how you collect, store, and transmit sensitive data when working from your office computer, portable devices, and home.
Encrypted Data ‘At Rest’
Encrypted data ‘at rest’ means that all data stored on a computer or device is encrypted. Organizations that store health care records must encrypt data to comply with HIPAA. Many people who don’t fall under HIPAA compliance don’t encrypt data at rest unless on a mobile device such as a notebook computer, tablet, or phone.
Encryption at rest is an intentional act. For example, Apple has given its users the ability to encrypt data on their computers for many years. If you have an Apple computer, see if you have encryption turned on by opening System Preferences > Security & Privacy > FileVault. Encryption on Windows is available if you have Windows 10 Pro, but not the Home version. iPhone and iPad users who set a Passcode have data encryption enabled. Android phone users might have data encryption enabled, and the feature is under Settings > Security, but users must protect their device with a secure password for it to be effective, otherwise anyone in possession of the phone can access the data.
Encrypted Data ‘In Transit’
Apple and Google emphasized the importance of encrypting data ‘in transit’ a few years ago, and it has become the norm. Data transferred between two devices encoded to prevent viewing by others is ‘in transit’ encryption. For example, when you open a website in a browser, it is ‘in transit’ communication. Images, text, and background files retrieved from the website load into your browser locally. If you open the website using “https”, as in “https://techtipscentral.us”, you establish an encrypted connection between the website and your computer. The “s” in “HTTPS” sets encryption, and a padlock appears in the address bar. Many website developers automate this process for you with backend coding. However, to state you use “in transit” encryption, you need to ensure that all connected devices use encryption. Let me explain.
Let’s say you’re in a restaurant, working remotely, and use your notebook computer to connect to your company’s website. In this example, we will state that the restaurant doesn’t secure their network using encryption. You establish encryption to your company’s site by using HTTPS. However, because the restaurant lacks network encryption, you could expose your computer to another person sharing the same network. You’re not using ‘in transit’ encryption fully because you’re exposing other network activity to an unencrypted network.
Let’s say instead that you use your mobile provider’s secure network to connect to the website from your notebook computer. Bypassing the restaurant’s insecure network altogether maintains an ‘in transit’ encryption.
Checking for Both ‘At Rest’ and ‘In Transit’ Encryption
Check each device connected to the Internet for both ‘at rest’ and ‘in transit’ encryption to answer PCI compliance questions. For example, let’s say your credit card terminal connects securely to your merchant provider, but sensitive data stored internally isn’t encrypted. For PCI purposes, you answer that the data is encrypted ‘in transit’, but not ‘at rest’.
Please use this information to examine how you store and transmit sensitive data from office computers, portable devices, and home. Although I haven’t covered everything, I hope this guides you when answering PCI compliance questions or creating policies governing them.