The Green Sheet Online Edition
December 13, 2010 • Issue 10:12:01
PCI changes, incremental step toward industry compliance
End-to-end encryption of payment card data is rapidly spreading throughout the payments industry, while fraud and breaches are on the rise. Within this environment, the PCI Security Standards Council (PCI SSC) recently released supplemental guidance about the technology behind end-to-end, or point-to-point, encryption and how it relates to the Payment Card Industry (PCI) Data Security Standard (DSS).
Payment industry stakeholders are cautiously optimistic about the role the new guidelines will play in diminishing confusion associated with the PCI DSS. But this guidance does not appear to be moving quickly enough or offer sufficient details to keep up with rapidly evolving industry demands.
Overall, the release of the PCI SSC's Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance signals a willingness of the standard-setter to help merchants make better decisions in evaluating their card payment processes and options. However, the "roadmap" is limited in scope and doesn't provide the specific requirements that organizations such as the Secure POS Vendor Alliance (SPVA) would like to see and have been working toward.
The update notes that methods to validate point-to-point encryption and PCI DSS compliance and implementation remain "immature"; it suggests that this infancy represents an opportunity for the industry to define requirements in 2011 when a more detailed requirements standard is expected to be released.
That effort will involve input from groups like the SPVA, among others - in particular, the special interest groups that have been providing significant comments since the early stages of drafting. The most work has been in the areas of scoping, Europay/MasterCard/Visa and tokenization, where SPVA members have been active, contributing many hours to provide guidance to the PCI SSC since releasing its white paper, End-to-End Encryption Security Requirements. Still, the PCI SSC has provided only high-level direction in these areas; nuts-and-bolts requirements work is pending.
More to come
The supplement to the PCI DSS includes updates, clarifications and guidance for key areas such as:
- Reinforcing the need for merchants to conduct thorough "scoping" evaluations of their networks before security audits
- Adding a mandate for centralized logging to the Payment Application DSS
- Allowing organizations greater flexibility when conducting risk assessments in order to prioritize security vulnerabilities
- Clarifying the language of the standards
These represent minor adjustments. Merchants, processors, vendors and other industry players must once again wait for final specifics. Further guidance regarding scoping, point-to-point and tokenization is expected in the near future. Also, the PCI SSC did not release an overview document on tokenization. Given the influence tokenization is having on emerging best practices, it is important that the industry have better insight into where PCI is going.
Generally, the direction is on target. However, if the PCI SSC wants more merchants to be in compliance, it needs to move more quickly and get ahead of core security elements like data encryption, tokenization and mobile payments.
The update also notes that a reduction in scoping - at least as it applies to the transmittal of data - might limit and simplify the overall validation process. That also means more guidance is needed for qualified security assessors (QSAs). The SPVA highly recommends the PCI SSC improve its education and screening for QSAs to allow only a select group who understand encryption, key management and physical/logical security concepts to become auditors.
The SPVA applauds the PCI SSC's efforts, but with fraud accounting for millions of dollars in losses across major industries - such as financial, hospitality and retail - stakeholders can't afford to wait. According to the 2010 Breach Report from Verizon Business, meeting PCI DSS compliance is critically important, given that "79 percent of victims subject to the PCI DSS standard hadn't achieved compliance prior to the breach." We need the PCI DSS to take the lead to help make PCI compliance a reality.
Paul Rasori serves as the Secure POS Vendor Alliance's Vice Chairman and CTO and is Senior Vice President, Global Marketing at VeriFone Inc., a founding member of the SPVA. He is a 20-year veteran of the electronic payments industry and has led the introduction of the industry's most comprehensive and successful portfolio of payment solutions that span diverse vertical markets, including financial retail, multilane, unattended, hospitality and wireless vertical segments. He can be reached at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.