NIST Publishes New Security Standard For Encrypting Credit Card, Medical Info

The National Institute of Standards and Technology (NIST) has developed new encryption methods for securing financial data and other sensitive information.

The NIST publication SP 800-38G authored by Morris Dworkin specifies cryptography standards for both binary and non-binary data, preserving the look and feel of the unencrypted digits. Earlier encryption methods designed by NIST worked for binary data. But for strings of decimal numbers, there was no feasible technique to produce coded data that preserves the original format.

"How do you transform a string of digits such as a credit card number so that it is indecipherable to hackers, but still has the same length and look—in other words, preserves the format—of the original number, as the software expects?" Dworkin said in a NIST post.

The new standard -- "Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption" -- describes two encryption methods that can help cipher both binary and non-binary sequences of symbols, maintaining the same format as that of the original string. The FF1 and FF3 techniques are aimed at protecting the credit card number during the financial transaction, and can also help secure sensitive medical records.

Though the encryption methods can protect patient’s personal information, Dworkin notes that it's still no foolproof security measure. “FPE can facilitate statistical research while maintaining individual privacy, but patient re-identification is sometimes possible through other means,” he said. “You might figure out who someone is if you look at their other characteristics, especially if the patient sample is small enough. So it’s still important to be careful who you entrust the data with in the first place.”

Read more on the new security standard in this NIST post.