GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Giving has no season


Industry Update

NFC race heating up

Proximity mobile payments get closer

VeriFone pays $485 million in stock for Hypercom


Visa makes pitch for U.S. microlending

$60 million to fuel small business lending

BAI Retail Delivery 2010: All about retail banking in the 21st century

Ed McLaughlin

Research Rundown

The top 25 U.S.-based charities

Selling Prepaid

Prepaid in brief

Visa pushing prepaid cards for undeserved

Patti Murphy
Inside Microfinance

Gift cards versus the government

Thom Aldredge
World Gift Card


Financing business startups: What ISOs should know

Brandes Elitch
CrossCheck Inc.

PCI changes, incremental step toward industry compliance

Paul Rasori
Secure POS Vendor Alliance


Street SmartsSM:
Enlightening talk about gateways

Ken Musante
Eureka Payments LLC

Stay tuned to your needs when selling

Jeff Fortney
Clearent LLC

Ensuring sales and marketing success in 2011

Peggy Bekavac Olson
Strategic Marketing

PCI: The year in review, the year to come

Tim Cranny
Panoptic Security Inc.

Company Profile


New Products

Preparing for 1099-K

Data Delivery Services Inc.


Give the gift of knowledge



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

December 13, 2010  •  Issue 10:12:01

previous next

PCI changes, incremental step toward industry compliance

By Paul Rasori

End-to-end encryption of payment card data is rapidly spreading throughout the payments industry, while fraud and breaches are on the rise. Within this environment, the PCI Security Standards Council (PCI SSC) recently released supplemental guidance about the technology behind end-to-end, or point-to-point, encryption and how it relates to the Payment Card Industry (PCI) Data Security Standard (DSS).

Payment industry stakeholders are cautiously optimistic about the role the new guidelines will play in diminishing confusion associated with the PCI DSS. But this guidance does not appear to be moving quickly enough or offer sufficient details to keep up with rapidly evolving industry demands.

Overall, the release of the PCI SSC's Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance signals a willingness of the standard-setter to help merchants make better decisions in evaluating their card payment processes and options. However, the "roadmap" is limited in scope and doesn't provide the specific requirements that organizations such as the Secure POS Vendor Alliance (SPVA) would like to see and have been working toward.

The update notes that methods to validate point-to-point encryption and PCI DSS compliance and implementation remain "immature"; it suggests that this infancy represents an opportunity for the industry to define requirements in 2011 when a more detailed requirements standard is expected to be released.

That effort will involve input from groups like the SPVA, among others - in particular, the special interest groups that have been providing significant comments since the early stages of drafting. The most work has been in the areas of scoping, Europay/MasterCard/Visa and tokenization, where SPVA members have been active, contributing many hours to provide guidance to the PCI SSC since releasing its white paper, End-to-End Encryption Security Requirements. Still, the PCI SSC has provided only high-level direction in these areas; nuts-and-bolts requirements work is pending.

More to come

The supplement to the PCI DSS includes updates, clarifications and guidance for key areas such as:

These represent minor adjustments. Merchants, processors, vendors and other industry players must once again wait for final specifics. Further guidance regarding scoping, point-to-point and tokenization is expected in the near future. Also, the PCI SSC did not release an overview document on tokenization. Given the influence tokenization is having on emerging best practices, it is important that the industry have better insight into where PCI is going.

Generally, the direction is on target. However, if the PCI SSC wants more merchants to be in compliance, it needs to move more quickly and get ahead of core security elements like data encryption, tokenization and mobile payments.

The update also notes that a reduction in scoping - at least as it applies to the transmittal of data - might limit and simplify the overall validation process. That also means more guidance is needed for qualified security assessors (QSAs). The SPVA highly recommends the PCI SSC improve its education and screening for QSAs to allow only a select group who understand encryption, key management and physical/logical security concepts to become auditors.

The SPVA applauds the PCI SSC's efforts, but with fraud accounting for millions of dollars in losses across major industries - such as financial, hospitality and retail - stakeholders can't afford to wait. According to the 2010 Breach Report from Verizon Business, meeting PCI DSS compliance is critically important, given that "79 percent of victims subject to the PCI DSS standard hadn't achieved compliance prior to the breach." We need the PCI DSS to take the lead to help make PCI compliance a reality.

Paul Rasori serves as the Secure POS Vendor Alliance's Vice Chairman and CTO and is Senior Vice President, Global Marketing at VeriFone Inc., a founding member of the SPVA. He is a 20-year veteran of the electronic payments industry and has led the introduction of the industry's most comprehensive and successful portfolio of payment solutions that span diverse vertical markets, including financial retail, multilane, unattended, hospitality and wireless vertical segments. He can be reached at

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios