Companies rolling out encryption programs tend to focus on well-known difficulties, such as key management. But other surprises await the unwary:
Search: Traditional search methods may not work on encrypted data, says Harvey Ewing, senior director of IT security at Accor North America. And to search a big database by decrypting every entry as you go is computationally infeasible. The answer: Use a special algorithm to, for example, create a unique hash value for each credit card number, and include that alongside the encrypted credit card number. The hash value can't be converted back into the credit card number if someone improperly gains access to it, but it can be searched on as easily as any other data element.
Dependencies: Make sure you are not passing an encrypted data field from one system to another that is expecting to find it unencrypted. "Once you begin encrypting data in one location, if you don't know all the dependencies of where the data is stored and used, then you are going to break things," says Ewing.
Performance: Despite the march of Moore's Law and the tuning and optimisation of hardware and software by cryptography gear vendors, performance is still a concern. "We did hit some stumbling blocks in the way some of our databases interacted," Ewing says. "That can be a problem if you are at the front desk of a hotel swiping a credit card." (With technical help from the vendor, the performance problem proved "manageable," he says.)