The payments industry is embracing point-to-point encryption and tokenization rapidly, in fact much faster than the PCI Security Standards Council can come up with rules that grant its stamp of approval on the advanced technology. Those eager for new rules argue that encrypted or tokenized networks should be subject to a much less rigorous PCI audit process in light of the nature of their security setups. "The retailers and other card accepting organizations are still subject to uneven interpretations. They don't have any clarity that if they implement point-to-point (encryption) or tokenization they will have reduced audit scope," says Avivah Litan, a vp at Gartner.
The Council's slow pace isn't holding banks back. Bank of America, for example, is deploying TransArmor, a First Data service that leverages RSA's SafeProxy architecture-a combination of encryption, tokenization and key management. The product encrypts consumer payment card data as it enters the merchant environment, and replaces that data with a "token" number that preserves the value of the card data for merchants while making it useless for crooks. "The token is what is stored if [the merchant] needs to keep a record of the transaction anywhere," says Michael Reed, COO of Bank of America Merchant Services.
A number of other firms, including large processors such as Heartland and Fifth Third, have also recently embraced forms of point-to- point encryption and tokenization. "I've never seen rollouts come as fast as this in all my years in security," says John Kindervag, a senior analyst at Forrester Research. "If you want to stay in the payments game, you have to provide tokenization and transaction encryption."
Reed says the BofA product is and will be PCI compliant, and says the removal of sensitive cardholder information can "take some of the burden off of PCI compliance. This product helps reinforce the merchant's ability to protect cardholder information."
But exactly what "PCI compliant" entails as far as point-to-point encryption, tokenization and EMV goes will be a moving target for quite some time. The council will spend the next year-a timeframe that's causing some criticism-considering how these new tech plays meet its compliance standards, and what merchants will need to do to reduce exposure to audits.
The PCI Council issued preliminary guidance on emerging security technologies in August. Another guidance statement on encryption came out at the end of October, and more memos on protective measures such as tokenization and EMV-and how payments security is impacted by virtualizedserver environments-are expected in 2011. The October release included clarifications for PCI DSS, but did not include new requirements or tech endorsements. PCI, which says point-to-point encryption could simplify compliance, included a number of points in its latest update, such as a stress on scoping prior to a PCI DSS assessment to understand where cardholder data resides, and conditional validation of a risk-based approach for addressing vulnerabilities.
The industry council says producing a document that sets encryption and tokenization standards is a complex job. "Thirty vendors offer [point to point] encryption, and with tokenization there's even more. And everybody's a bit different," says Bob Russo, general manager of the PCI Security Standards Council, who says it's just the beginning of matching emerging security innovation to standards. Jose Diaz, director of technical and strategic development for Thales Security, a participant in the council's debit protection working group, says there are currently no standards connected to point-to-point encryption, such as what algorithms to use, what kinds of keys, and how to protect account numbers.