"Encryption is hard, let's go shopping!"
On upcoming changes to the Payment Card Industry Data Security Standard:
“Today, the requirement is to make all information unreadable wherever it is stored,” Maxwell said. But this encryption requirement is causing so much trouble for merchants that credit card companies are having trouble dealing with requests for alternative measures, he said.
In response, changes to PCI will let companies replace encryption with other types of security technology, such as additional firewalls and access controls, Maxwell said. “There will be more-acceptable compensating and mitigating controls,” he said.
Yeah. It sure is hard to encrypt a file. Or a filesystem. After all, the important thing about controls is not that they achieve their objectives, but that they be palatable.
Note to credit card companies:
sed ‘s/Veteran’s Administration/YOU/g’ BlinkTank/Tim Wright)