GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Financing options proliferate in payments sphere


Industry Update

It's a Square world after all

Patent infringement ruling favors card brands

PCI SSC releases encryption update

NY attorney general files suit against POS leasing firm

Trade Association News


Harnessing the power of questions

The art of social media speak

Selling Prepaid

Prepaid in brief

What prepaid can learn from the EPA

Plastic Jungle unlocks new meaning of money


Mobile technology and the acquiring chain

Mustafa Shehabi
PayCube Inc.


Street SmartsSM:
How to avoid that 'What just happened?' moment

Jeff Fortney
Clearent LLC

Experts reveal their social media strategies

Peggy Bekavac Olson
Strategic Marketing

Ace your sales interview

Alan Kleinman
Meritus Payment Solutions

Don't let your processor do this to you

Adam Atlas
Attorney at Law

Are you leaving your mark on merchants?

Steve Norell
US Merchant Services Inc.

New Products

Award-winning network security system

Phoenix PaySecure
Phoenix Managed Networks

Loyalty packs a punch

vPunch Rewards
vPromos Inc.


Go with the tech flow


10 Years ago in
The Green Sheet


Resource Guide


A Bigger Thing

The Green Sheet Online Edition

May 14, 2012  •  Issue 12:05:01

previous next

PCI SSC releases encryption update

The PCI Security Standards Council recently released new point-to-point encryption requirements for hardware-based solutions. The new requirements augment the PCI Point-to-Point Encryption Solution Requirements released by the council in September 2011.

PCI SSC General Manager Bob Russo said the updated point-to-point encryption requirements bring the council "one step closer to helping merchants take advantage of this technology to simplify PCI DSS [Payment Card Industry Data Security Standard] validation efforts and mitigate potential breaches."

Clarification, guidance and training

The new requirements include guidance for merchants seeking a validated point-to-point encryption solution, the scope of assessment for point-to-point encryption solutions, and advice for systems that have multiple acquirers working with a single solution.

A summary of the requirements can be viewed at:

The PCI SSC also outlined security testing procedures and offered training for technicians implementing the new requirements. As part of this, eligible security companies may qualify to have employees trained as Qualified Security Assessors and have Payment Application Qualified Security Assessors certified to assess compliance with the point-to-point encryption standard.

Upcoming training sessions are scheduled May 11 to 13, 2012, in Denver and June 25 to 27 in Manchester, England. For more information on training, visit

Moving forward

The PCI SSC said once assessors are trained and solutions validated, it will provide merchants a list of validated secure solutions that will reduce merchants' PCI scope. The council intends to release a new self-assessment questionnaire and attestation of compliance later this spring. It will simultaneously release a point-to-point encryption program guide.

The PCI SSC will now turn its attention to requirements for hardware-based encryption and decryption solutions that use software to manage transaction-level decryption. It will also study requirements for software solutions that encrypt data at the POS and decrypt data at a host system.

Call to expand standards

Doug Klotnia, Executive Vice President of Payment Services for Trustwave, a data security and compliance management firm, said the PCI SSC is right to issue guidelines. He noted it should create further security standards for today's rapidly evolving payment market, where mobile devices and other nonstandard, often software-based, POS devices that were not necessarily built for payments are carving out a significant place in the payments environment.

"Software-based encryption has been around for a long time," Klotnia said. He believes secure solutions are both possible and needed to "enable more merchant devices more convenient ways to deliver business more securely." He added that as long as there is "no standard there is no additional security in that environment."

Vigilance still required

Matthew Mudd, President of Phoenix Managed Networks, a POS network security firm, said, "While point-to-point encryption technically reduces scope, the number of moving parts to properly outsource an encrypted system is daunting. Merchants also must continue to maintain physical network segmentation between point-to-point encryption environment and everything else they do over the Internet."

Mudd added that point-to-point encryption is not a silver bullet for merchant compliance. "Merchants will need to follow solution provider instructions carefully," he said.

"Merchants have to remember - connecting payment devices to the Internet puts them on the same network as hackers all over the world who make sport and business of cracking into systems. Protection of cardholder data in such an environment requires multiple layers of security and constant vigilance."

For additional news stories, please visit and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Electronic Merchant Systems | Board Studios