The Green Sheet Online Edition
October 10, 2011 • Issue 11:10:01
PCI SSC releases new encryption requirements
The PCI Security Standards Council (PCI SSC) recently released point-to-point encryption (P2PE) requirements for hardware-based solutions in its PCI Point-to-Point Encryption Solution Requirements. The 96-page document provides the first requirements for hardware-based P2PE solutions that offer Payment Card Industry (PCI) Data Security Standard (DSS) compliance.
The new requirements include information on:
- The merchant and vendor roles and responsibilities for P2PE hardware validation, implementation and solutions
- P2PE hardware domains: encryption device and environment, application security, transmission, decryption and key management
- The required steps for P2PE creation and validation
- Illustrations of how encryption hardware is implemented
- The relationship between the P2PE validation requirements and other PCI standards
A starting point
PCI SSC General Manager Bob Russo said the new P2PE hardware requirements are the beginning of what is expected to be an extensive list of P2PE requirements and programs. He said the PCI SSC will release testing requirements for hardware and introduce security assessment training for encryption hardware in the coming months.
P2PE solutions use secure cryptographic devices installed in POS terminals for encrypting. P2PE is also used in the hardware security modules for decrypting information securely.
"It's important to emphasize this is an optional program for the merchant and vendor," Russo told The Green Sheet. "There is no mandate. Encryption is a good idea that adds another layer of security with the possibility of cutting down the scope of compliance."
More to come
In addition, the PCI SSC will soon be looking at encryption in hybrid hardware/software devices, as well as standards for pure software encryption solutions. However, Russo said, "Some of the components in these regulations are already covered in the PCI security requirements for PIN pad and POS devices."
Russo added that all pieces of the PCI DSS still apply. "These new regulations are not a get-out-of-jail-free card," he said. "You still have to protect the data."
The PCI SSC will release a list of validated P2PE solutions in 2012. "There are many solutions that exist and merchants are looking to us for guidance," Russo said. "This is a solid first step in recognizing one popular type of deployment of P2PE solutions. If implemented in accordance with PCI requirements, P2PE solutions can significantly reduce a merchant's card data environment, mitigate potential breaches and simplify PCI DSS validation efforts."
The PCI Point-to-Point Encryption Solution Requirements can be found at www.pcisecuritystandards.org/documents/nb59Y8Qqv/P2PE_Hardware_Solution_%20Requirements_Initial_Release.pdf.
For additional news stories, please visit www.greensheet.com and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.