As business use of the Internet was taking off in mid-1998 I began hearing this consistent message from IBM AS/400 users: “We need encryption to protect our data as it moves over the Internet.” I only needed to hear this a few times before I began looking at incorporating encryption options into our file transfer applications.
My research included talking to a handful of encryption vendors, before finding an application called “Pretty Good Privacy,” or PGP. The application was the work of Phil Zimmermann and a small cohort of fellow off-the-map developers. I researched Phil a bit before contacting him, and — uh oh — I found he had been in trouble with the US government back when encryption was considered a “munition.” So it was with a little hesitation that I decided to place a call to this “outlaw” programmer.
By this time, the controversy over Phil’s activities had died down, and many of the restrictions on encryption had been relaxed. I found it surprisingly easy to get his phone number, get Phil on the phone, and see what he thought about using PGP on large systems.
We had a good conversation about PGP and its prospects for becoming a commercial standard for data protection. Phil was very helpful and we discussed some of the technical issues in porting PGP to the AS/400. He encouraged me to take the leap into the PGP project, and gave me referrals to the development team in charge of the commercial version of PGP. That call and his encouragement were crucial to our efforts over the next 10 years to bring PGP encryption to large IBM platforms.
After some twists and turns, and a few months of laboring in the trenches, we released the first version of PGP for the AS/400. The port to the AS/400 turned out to be a really big challenge. The C compiler was in its infancy, and we struggled with its limitations. And the ASCII to EBCDIC conversions were a nightmare. But we got the product released in 1999. It was very popular and remains so today. We now have hundreds of customers using PGP to protect their data.
PGP is now the de facto standard for whole file encryption in eCommerce. It is deployed by banks, insurance companies, medical suppliers, payroll servicers, and a wide variety of other organizations. Almost every organization on planet Earth deploys PGP to protect sensitive data. Phil’s vision of PGP becoming a widely accepted method of protecting data has become a reality.
Of course, PGP has been through some changes over the years. New encryption algorithms have been added such as AES and Elliptic Curve Cryptography. The product found a new home at PGP Corporation, and has undergone steady development since then. We have a great relationship with the folks at PGP, and many of them have been working with the product from the first days.
PGP Corporation recently completed a FIPS-140 certification of the PGP technology, and this was an important step. As we watch the evolution of security standards, I believe that independent certification by NIST will be crucially important in the months and years ahead. I know from personal experience that certification is hard to do and demands a deep commitment on the part of an encryption vendor. But there is no substitute for the rigor and discipline that it requires.
Here at PTSS we continue to incorporate PGP into new solutions. It’s a rock-solid platform on which to build. I’m happy to continue working with PGP Corporation, and you’ll be hearing from us soon about some of our new developments that incorporate PGP encryption.
After all these years, I’m grateful for Phil’s words of encouragement back in 1998. And am reminded to never underestimate what a few encouraging words can do. Thanks Phil!
Most of us who work in data security have probably had this experience. You bump into a neighbor on your morning walk, or meet someone at a party and as soon as they find out what field you’re in, they pop the question: “Do you really think it is safe to buy stuff on the Internet?” There are variations on the question, of course. They might ask about on-line banking, using a credit or debit card at the store, using a bank ATM, or almost any other financial transaction. Fielding these questions is one of the unintended consequences of your career choice. But what you tell that near stranger says almost as much as what you don’t tell them.
I usually try to keep my answer short and say something like: “Large retailers are probably compliant with PCI regulations and they are likely to be more secure in relation to credit cards. Smaller retailers may not yet be in compliance with these regulations. However, your credit card issuer is going to protect you from losses due to fraud and theft. Debit card transactions are more secure end-to-end because of encryption, and your merchant likes debit cards because of the lower fees, but your bank may or may not be helpful in the event of a loss. You might have more personal risk when you use your debit card. If you do on-line banking, make sure there is two-level sign on, and make sure your bank will stand behind you in the event of a loss. My advice is to take the normal precautions when using your card, use a credit monitoring service, check your statements regularly, don’t use Internet cafes for payments or banking when you travel, and know your bank.”
The rest of my answer is mainly for industry insiders. For instance, I find it odd that merchants who are PCI compliant are reluctant to make this information public. I would certainly feel better making an on-line purchase if I saw a statement on the check-out page that said something like “We’ve passed a PCI audit with no compensating controls. We are committed to securing your personal information when you buy online from us.” Even with some obligatory fine print from the lawyers, this would signal a sincere effort to protect information. But you never see this type of statement on merchant web sites; even the ones that I know are PCI compliant and really diligent about security. I wonder why . . .
Similarly, I find the difference between debit cards and credit cards to be interesting. Debit cards have long had end-to-end encryption using public/private key encryption. When you swipe your debit card and punch in the PIN code, that PIN is encrypted all the way to the bank. The same isn’t true for credit cards, however, because credit card numbers are simply not encrypted as they flow over various networks. That information is susceptible to loss anywhere along the path from the retailer to the credit card processor. All parties seem to accept this risk simply as a normal cost of doing business, and the bad guys do occasionally breach those networks. So the bottom line is that even if a credit card transaction starts out secure, there are numerous weak points where information can be lost or stolen.
This takes us back to the original question, and my answer that’s more for those of us in data security than for my neighbor. “I think there has been major progress over the last three or four years in data protection, but we have a long way to go before payment transactions are really secure. There are so many ways to expose and lose information, and end-to-end encryption is the only way I know to truly protect it. My hat is off to those merchants and payment processors who are making that long slog to embed encryption at every point in the process. But until encryption is universal, none of our sensitive information will be truly secure.”
To learn more about encryption solutions for retail and other industries, click here.