It appears the time to prepare for EMV and advanced encryption has arrived.
On Thursday the Payment Card Industry Security Standards Council provided a preview of guidance it plans to release Oct. 5 that shows how the industry group expects its standards to interact with the EMV Integrated Circuit Card Specification.
EMV has its own standards body, EMVCo, which is based in the U.K., and there is no uniform approach for advanced encryption formats across the payments industry.
The council's guidance is based on the philosophy that defending payment card data takes depth, Troy Leach, the Wakefield, Mass., group's chief technology officer, said at a meeting for payments executives. "You can't rely on a single point of defense," Leach said during an interview at the meeting, which was held in Orlando.
For example, an EMV transaction requires the personal account number to be unencrypted so it can be authenticated at the point of sale. Merchants relying solely on EMV technology increase their risk by not taking measures to protect the sensitive card data, Leach said.
Many merchants use more than one method to complete a sale, and that is an important reason why EMV-accepting merchants should comply with PCI standards, said Jeremy King, the council's European regional director. "There is more than one area where they have to look at all of the data," he said.
The time also is right to begin addressing how the council's standards interact with the encryption services many vendors are selling, King said.
Merchants and others in the payments industry want guidance. "We're looking at that because we're being asked to by our participating organizations," King said. There are no standards that define end-to-end encryption and there are no ways to validate protection claims, he said.
Leach said the council's guidance on what it instead calls point-to-point encryption could be the start of way to validate encryption claims.
Indeed, validation is essential because not all security algorithms and encryption processes are created equal, Leach said. A faulty implementation can defeat the benefit of the service, he said.
As the payments industry and merchants review and express feedback to the council's new guidance, the council will have to coordinate its work with other standards organizations, such as the Accredited Standards Committee X9 Inc., which oversees many financial services standards, said Jose Diaz, the director of technical and strategic business development at Thales e-Security.
"In the Data Security Standard, the council is not calling for specific requirements," but instead is "issuing general guidance," Diaz said, noting other standards bodies will address specific requirements for various technologies.
"The PCI DSS provides that framework that anyone trying to address security and compliance can follow," he said.
The PCI council's new guidance is significant and timely, said George Peabody, director of emerging technologies at Mercator Advisory Group Inc. in Maynard, Mass.
The guidance, inspired by the emerging use of EMV and advanced encryption, could signal the beginning of a shift to dynamic card data, Peabody said. Payment card data currently are static in that at any point in the transaction life cycle the card stays the same. In a dynamic system, a transaction is assigned a unique identifier, so the actual card number is not transmitted.
"Dynamic data adds a whole level of security we didn't have at the edge of the network," Peabody said, referring to the point where a consumer makes a transaction.
Such a migration could take five to 10 years, even if it started today. That "still leaves a gaping hole and which is why tokenization and encryption have a role to play now," Peabody said.
Visa Inc. issued tokenization best practices in July.
The PCI council said its guidance will reflect its evolving approach to payment-data security. An outline of how it will apply these technologies is included in its guidance on point-to-point encryption.
"This is the first time anyone has given a road map on this," King said.