If a merchant plans to use advanced data encryption as a credit card data security measure, the Payment Card Industry Security Standards Council now has some guidelines for how best to go about it.
In what council leaders are calling “the first step” in a process to establish direction on the use of encrypted payment card data, the council Sept. 15 released a set of requirements aimed at validating encryption hardware. The requirements cover the encryption process from the point where card data enters a reader to the hardware security modules used at the end for decryption.
The process that the council calls point-to-point encryption converts sensitive customer card data from plain text to an unreadable text form while in transit from the card reader at the point of sale to the security module at the bank processor, the council says.
The council requirements outline responsibilities in validating and assessing the critical pieces of hardware used for encryption; the steps required to create and validate the advanced data encryption method in use; a visual representation and typical implementation process and the interrelation between advanced data encryption validation and other PCI standards.
Advanced data encryption has been on the rise during the past few years but previously no standards or requirements existed on how best to use this added layer of security, Bob Russo, general manager of the Payment Card Industry Security Standards Council, tells PaymentsSource.
The council in September 2010 signaled its plans to establish requirements for the process (
The next level of guidance for advanced data encryption will include software recommendations, extensive testing of the process, training for Qualified Security Assessors to understand encryption assessment, and presentation to the council of appropriate solutions by the spring of 2012, Russo says.
Russo emphasizes the council’s advanced data encryption requirements are “not about setting standards” at this time, but only to start that process because “these are not mature technologies and merchants and vendors need direction.”
Moreover, the new requirements do not eliminate the need for PCI Data Security Standard compliance, “but it can reduce the scope,” Russo says.
The requirements from the council also do not represent a mandate for buying encryption services from a vendor, Russo notes.
Jeremy King, European director of the PCI Security Standards Council, feels the requirements and any future guidance will give merchants less to worry about and “help them significantly” by reducing their work in assuring card data is secure.
“The requirements for point-to-point encryption are purely for face-to-face transactions and, in the end, it will enable the vendor to advertise that they’ve hit these requirements,” King tells PaymentsSource.
The involvement of well-prepared security assessors will be a key element in the process because a vendor may think card data is safe, but a gap could exist that an assessor could find, King says.
What do you think about this? Send us your feedback.
