The PCI Security Standards Council recently released new point-to-point encryption requirements for hardware-based solutions. The new requirements augment the PCI Point-to-Point Encryption Solution Requirements released by the council in September 2011.
PCI SSC General Manager Bob Russo said the updated point-to-point encryption requirements bring the council "one step closer to helping merchants take advantage of this technology to simplify PCI DSS [Payment Card Industry Data Security Standard] validation efforts and mitigate potential breaches."
The new requirements include guidance for merchants seeking a validated point-to-point encryption solution, the scope of assessment for point-to-point encryption solutions, and advice for systems that have multiple acquirers working with a single solution.
A summary of the requirements can be viewed at: www.pcisecuritystandards.org/documents/P2PE_v1-1_summary_of_changes.pdf
The PCI SSC also outlined security testing procedures and offered training for technicians implementing the new requirements. As part of this, eligible security companies may qualify to have employees trained as Qualified Security Assessors and have Payment Application Qualified Security Assessors certified to assess compliance with the point-to-point encryption standard.
Upcoming training sessions are scheduled May 11 to 13, 2012, in Denver and June 25 to 27 in Manchester, England. For more information on training, visit www.pcisecuritystandards.org/training/p2pe_training.php.
The PCI SSC said once assessors are trained and solutions validated, it will provide merchants a list of validated secure solutions that will reduce merchants' PCI scope. The council intends to release a new self-assessment questionnaire and attestation of compliance later this spring. It will simultaneously release a point-to-point encryption program guide.
The PCI SSC will now turn its attention to requirements for hardware-based encryption and decryption solutions that use software to manage transaction-level decryption. It will also study requirements for software solutions that encrypt data at the POS and decrypt data at a host system.
Doug Klotnia, Executive Vice President of Payment Services for Trustwave, a data security and compliance management firm, said the PCI SSC is right to issue guidelines. He noted it should create further security standards for today's rapidly evolving payment market, where mobile devices and other nonstandard, often software-based, POS devices that were not necessarily built for payments are carving out a significant place in the payments environment.
"Software-based encryption has been around for a long time," Klotnia said. He believes secure solutions are both possible and needed to "enable more merchant devices more convenient ways to deliver business more securely." He added that as long as there is "no standard there is no additional security in that environment."
Matthew Mudd, President of Phoenix Managed Networks, a POS network security firm, said, "While point-to-point encryption technically reduces scope, the number of moving parts to properly outsource an encrypted system is daunting. Merchants also must continue to maintain physical network segmentation between point-to-point encryption environment and everything else they do over the Internet."
Mudd added that point-to-point encryption is not a silver bullet for merchant compliance. "Merchants will need to follow solution provider instructions carefully," he said.
"Merchants have to remember - connecting payment devices to the Internet puts them on the same network as hackers all over the world who make sport and business of cracking into systems. Protection of cardholder data in such an environment requires multiple layers of security and constant vigilance."
For additional news stories, please visit www.greensheet.com and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next