Page-Integrated Encryption
End-to-End Encryption for Web Transactions
Page-Integrated Encryptionâ„¢ (PIE) encrypts sensitive user data in the browser, and allows that data to travel encrypted through intermediate application tiers. Unlike traditional TLS/SSL encryption, this keeps user data private as it travels through load balancers and web application stacks, only decrypting that data when it reaches secured inner host systems. As an example, eCommerce merchants can use PIE to reduce PCI exposure of their web and intermediate hosts. PIE integrates via a Javascript library include and a single API call within the web page itself. The PIE system encrypts data with host-supplied single use keys, making a breach of a user browser session useless for decrypting any other data in the system.
PIE is implemented via three participating parties: the user’s browser, a PIE key server, and a decryption host. A PIE transaction is initiated by loading a web page that references an URL served up by the PIE key server. This URL returns Javascript code containing a one-time key, a key identifier, and associated code that encrypts data under that one-time key. The page, before submitting a sensitive data item, calls the included Javascript which encrypts the data and optionally embeds the key identifier in the ciphertext. This encrypted data is posted or returned to the web application. The data can then pass through any number of systems before arriving at the decryption host. The decryption host returns the key identifier to the PIE key server, which checks the authentication of the decryption host, then returns the one-time associated with the key identifier. This allows the decryption host to decrypt and use the sensitive data.
