By Scott Henry
Scope reduction" should be a magical phrase to merchants, acquirers and ISOs because it refers to reducing the applicability of Payment Card Industry (PCI) Data Security Standard (DSS) controls. PCI compliance is no small matter, nor is it inexpensive. The larger an organization, the more costly the effort to ensure compliance, but smaller organizations may have to devote comparatively larger proportions of their resources than more sophisticated outfits.
So, large or small, compliance is a big issue that many organizations want to reduce. Any step to limit the scope of that compliance is welcome. That's why end-to-end encryption (E2EE) is now one of the most talked-about concepts in the payments industry. And consensus is growing that E2EE is a vital step not only in containing the costs of compliance, but also in making card data much more secure.
An initial goal of the Secure POS Vendor Alliance was "to create an industry encryption framework ... to adequately secure cardholder information before it enters the application environment."
In 2009, Visa Inc. published industry best practices for E2EE. Even the PCI Security Standards Council (PCI SSC) is developing guidance on how E2EE (which it prefers to term "point-to-point encryption") will satisfy certain PCI requirements.
Retailer environments are too complex to completely and constantly lock down against all intruders. Encrypting cardholder data from end-to-end may be the only way to meet current security requirements.
The potential liability associated with cardholder data breaches is daunting. The per-record cost estimates for a security breach range from around $100 to several hundred dollars, so a breach could easily result in costs in the millions of dollars. Unfortunately, the number of attempted and successful data breaches is increasing, even among retailers that meet PCI DSS compliance requirements and audits.
End-to-end encryption entails encrypting cardholder information on acceptance inside a secure, trusted device and keeping it encrypted throughout an organization, ideally all the way to the acquirer or processor.
Retailers aren't in the business of security or payment technology; they must focus on understanding customer needs and delivering the right goods at the right time and place. PCI requirements were on a two-year update cycle, so by the time a retailer got up to speed, it was time to learn the next set of requirements. The PCI SSC recently extended the cycle to three years, but even so, merchants need significant guidance from ISOs and merchant level salespeople to understand the compliance process.
A variety of encryption techniques have been proposed for the retail industry. All offer strengths but also have limitations that make them less than complete:
This form of encryption does not, however, protect data end-to-end. Many organizations have a hodge-podge of servers, applications and networks that may require access to the database information, resulting in data being frequently unencrypted and exposed to rogue sniffers.
VeriFone favors a total systems sol-ution approach that encompasses the following:
An independent assessor, Coalfire Systems Inc., recently completed a review of this approach and came to some compelling conclusions regarding E2EE: "As most of the DSS controls are designed to manage risk to card data from specific threat scenarios, it is therefore possible to reduce their applicability by securing the card data in the merchant environment, so that the threat scenarios are no longer a viable risk.
"By strongly encrypting card data at the point of capture in a secure and restricted device, where no ability to decrypt the card data exists, you can effectively 'isolate' the majority of the merchant's environment from scope. If specific deployment scenarios are adhered to, the merchant environment can be treated as an untrusted environment similar to a public network when using strong transmission encryption."
Coalfire stressed that PCI compliance scope reduction cannot remove the need for PCI compliance and does not eliminate merchants' responsibility to validate compliance to their acquirers, but Coalfire noted that scope reduction has big benefits: "PCI compliance scope reduction's biggest payoff for merchants is the opportunity to eliminate the cost of PCI control deployment for the sole purpose of meeting compliance obligations. The second major benefit is the reduction of cost and effort to validate PCI compliance of the merchant environment."
No doubt you'll be hearing more and more about E2EE. It's important to know how different vendors and service providers implement this technology.
Scott Henry is Director, North America Product Marketing, for VeriFone Inc. He can be reached at firstname.lastname@example.org.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next