The Payment Card Industry Security Standards Council has issued guidelines for merchants that plan to use advanced data encryption as a credit card data security measure. The guidelines, the council emphasizes, do not constitute standards.
In what council leaders are calling “the first step” in directing the use of encrypted payment card data, the council Sept. 15 released requirements aimed at validating encryption hardware. The requirements cover encryption from the point where card data enters a reader to the hardware security modules used at the end for decryption.
The process, which the council calls point-to-point encryption, converts sensitive customer card data from plain text to an unreadable text while in transit from the card reader at the point of sale to the security module at the bank processor, the council says.
The council requirements outline responsibilities in validating and assessing the critical pieces of hardware used for encryption; the steps required to create and validate the advanced data encryption method in use; a visual representation and typical implementation process and the interrelation between advanced data encryption validation and other PCI standards.
Advanced data encryption has been on the rise during the past few years but previously no standards or requirements existed on how best to use the added layer of security, Bob Russo, general manager of the Payment Card Industry Security Standards Council, tells ISO&Agent Weekly.
The council in September 2010 signaled its plans to establish requirements for the process.
The next level of guidance for advanced data encryption will include software recommendations, extensive testing of the process, training for Qualified Security Assessors to understand encryption assessment, and presentation to the council of appropriate solutions by next spring, Russo says.
Russo emphasizes that the council’s advanced data encryption requirements are “not about setting standards” at this time, and only provide a start to that process because “these are not mature technologies and merchants and vendors need direction.”
Moreover, the new requirements do not eliminate the need for PCI Data Security Standard compliance, “but it can reduce the scope,” Russo says.
The requirements from the council also do not represent a mandate for buying encryption services from a vendor, Russo notes.
Jeremy King, European director of the PCI Security Standards Council, says the requirements and future guidance will give merchants less to worry about and “help them significantly” by reducing their work in assuring card data is secure.
“The requirements for point-to-point encryption are purely for face-to-face transactions and, in the end, it will enable the vendor to advertise that they’ve hit these requirements,” King tells ISO&Agent Weekly.
The involvement of well-prepared security assessors will be a key element in the process because a vendor may think card data is safe, but a gap could exist that an assessor could find, King says.
