Council's Card-Encryption Guidelines Are a "First Step"

If a merchant plans to use advanced data encryption as a credit card data security measure, the Payment Card Industry Security Standards Council now has some guidelines for how best to go about it.

In what council leaders are calling "the first step" in a process to establish direction on the use of encrypted payment card data, the council released a set of requirements Thursday aimed at validating encryption hardware. The requirements cover the encryption process from the point where card data enters a reader to the hardware security modules used at the end for decryption.

The process that the council calls point-to-point encryption converts sensitive customer card data from plain text to an unreadable form while in transit from the card reader at the point of sale to the security module at the bank processor, the council says.

Advanced data encryption has been on the rise the past few years but previously no standards or requirements existed on how best to use this added layer of security, says Bob Russo, general manager of the PCI Council.

Russo emphasizes the council's advanced data encryption requirements are "not about setting standards" at this time, but only to start that process because "these are not mature technologies and merchants and vendors need direction."

The requirements from the council also do not represent a mandate for buying encryption services from a vendor, Russo says.

The requirements and any future guidance will give merchants less to worry about and "help them significantly" by reducing their work in assuring card data is secure, says Jeremy King, European director of the PCI Security Standards Council.

The involvement of well-prepared security assessors will be a key element in the process because a vendor may think card data is safe, but a gap could exist that an assessor could find, King says.