Security via Obscurity
Security by Obscurity will never work. Period. However, a lot of times especially during PCI DSS audits there are tendencies in some assessors or trusted advisors to allow the use “binary” encoded protocols that might otherwise not be encrypted but just obfuscated. Especially, since PCI DSS does say that that the data should not be clear text and sampling of systems should verify that.
In the good old days, there was steganography which was a technique of hiding data in JPEG or other types of files such that only the person with knowledge of obfuscation algorithm could get the message out. However, this relied on the secrecy of the algorithm. Even to this day, some security people do consider steganography as an effective means of transmitting information (though we doubt any one uses it for secure information transmission today).
Obscurity provides no security if it is the only layer of security. With other layers of strong security it could be a good idea to use obscurity along with true security just to make the attackers job a little harder. However, bear in mind that it is just a trick to possibly “buy time” and that’s it. Eventually, obscurity will be subverted.
Therefore, never rely on security via obscurity because that’s the wrong way to implement security. Always use strong cryptography as the basis of security. Additional, layers of obscurity just add (possibly) some confusion and that’s about it.