The PCI Security Standards Council this fall plans to launch a website dedicated to small merchants, which have asked the council for help in understanding how data-security measures affect them.
The council also announced that on Oct. 5 it would release guidance covering how the standards under its control might interact with advanced encryption and EMV protocols.
The new website will explain the principles and rationale behind the council’s efforts to get merchants to comply with the Payment Card Industry Data Security Standard and “why it’s important to protect their customer information,” Troy Leach, the council’s chief technology officer, told ISO&Agent Weekly at the council’s Community Meeting in Orlando, Fla., last week.
Details of the new site were not yet available, but it should be easier for merchants to navigate than the existing site, which was designed for anyone interested in council activities and documents, he says.
The council also will revamp it primary website. “We will be completely re-laying it out,” says Jeremy King, the council’s European regional director.
The council’s online revisions are just some of the changes the council has addressed this year, King says. Chief among them is aligning the three security standards–Data Security Standard, Payment Application-DSS and PIN Transaction Security–into three-year cycles, he says.
The Data Security Standard’s move to a three-year lifecycle, which the two other standards already were on, should give merchants more time to work with the existing version while having more time to review upcoming versions, King says.
The Wakefield, Mass.-based council also introduced an internal security assessor training program this year that King says has been successful.
Banks, acquirers or merchants employ internal security assessors to evaluate their organization’s PCI-compliance effort, and they work with third-party qualified security assessors that ascertain an organization’s compliance level.
While the council is U.S.-based, its standards are meant for merchants of all sizes around the globe, King says.
That is part of the reason why the council is issuing the EMV and advanced encryption guidance next week.
EMV has its own standards body, United Kingdom-based EMVCo, and no uniform approach exists for advanced encryption across the payments industry.
The council’s guidance emanates from the philosophy that defending payment card data takes depth, Leach says. “You can’t rely on a single point of defense,” Leach says.
For example, an EMV transaction requires the personal account number to be unencrypted so it can be authenticated at the point of sale. Merchants relying solely on EMV technology increase their risk by also not taking measures to protect the sensitive card data, Leach says.
Many merchants use more than one method to complete a sale, and that is an important reason why EMV-accepting merchants should comply with PCI standards, King. “There is more than one area where they have to look at all of the data,” he says.
The time also is right to begin addressing how the council’s standards interact with the encryption services many vendors are selling, King says.
And merchants and others in the payments industry want some guidance. “We’re looking at that because we’re being asked to by our participating organizations,” King says.
Moreover, no standards exist that define “end-to-end” encryption, and there are no ways to validate protection claims, he says.
The council’s guidance on what it instead calls point-to-point encryption could be the start of a way to validate encryption claims, Leach says.
Indeed, validation is essential because not all security algorithms and encryption processes are created equal, Leach says. A faulty implementation can defeat the benefit of the service, he notes.
As the payments industry and merchants review and express feedback to the council’s new guidance, the council will have to coordinate its work with other standards organizations, such as the Accredited Standards Committee X9 Inc., which oversees many financial-services standards, Jose Diaz, director of technical and strategic business development at Thales e-Security, tells ISO&Agent Weekly.
“In the Data Security Standard, the council is not calling for specific requirements, but (instead is) issuing general guidance,” Diaz says, noting other standards bodies will address specific requirements for various technologies.
“The PCI DSS provides that framework that anyone trying to address security and compliance can follow,” he says.
The PCI council’s new guidance is significant and timely, says George Peabody, director of emerging technologies at Maynard, Mass.-based Mercator Advisory Group Inc.
Inspired by the emerging use of EMV and advanced encryption, the guidance, could herald the beginning of a shift to dynamic card data, he says. Payment card data currently are static in that at any point in the transaction lifecycle the card stays the same. In a dynamic system, a transaction is assigned a unique identifier so the actual card number is not transmitted.
“Dynamic data adds a whole level of security we didn’t have at the edge of the network,” Peabody says, referring to the point where a consumer makes a transaction.
Such a migration could take from five to 10 years, even if started today, “which still leaves a gaping hole and which is why tokenization and encryption have a role to play now,” he says. Visa Inc. issued tokenization best practices in July.
The PCI council says its upcoming guidance speaks to its future approach to payment-data security. An outline for how the council will approach these technologies is included in its guidance on point-to-point encryption. “This is the first time anyone has given a roadmap on this,” King says.
