SCOTTSDALE, Ariz.–Merchants generally welcome new industry guidance and requirements for the security of payment card data through advanced data encryption, but now a host of questions surrounds prospective products and their use, attendees said here last week at the PCI Security Standards Council's annual meeting.
Card networks and technology suppliers generally are pleased with the speed with which the PCI council is addressing the most urgent questions about advanced data security, Liberato De Veyra, vice president of emerging technologies at payment network JCB, told ISO&Agent Weekly. The council announced its advanced data requirements earlier this month.
"We're in a transitional stage on (advanced data encryption)," De Veyra said. "The requirements may be most challenging right now to Level 4 merchants” that process fewer than 1 million Visa transactions and 20,000 transactions online annually, he said.
Some Level 4 merchants are looking for ways to reduce PCI compliance costs, but do not know exactly how to adapt their current systems to products approved for advanced data encryption, De Yeyra said.
The PCI council this month is beginning to create testing procedures to validate advanced data encryption products, Bob Russo, council general manager, said in an interview at the meeting.
The council subsequently will help ensure that qualified security assessors are trained in validating them and eventually will list approved advanced data encryption products on its site, Russo says. "It's still early in the process, but the council is actually moving rather quickly from last year, when point-to-point encryption was just a concept, to where we are now," he said.
Defining specifications around data tokenization presents another near-term challenge, Russo said. "There are probably 20 or 25 different ways of handling tokenization, and there are no standards for it at the moment. There will be a to-do list based on questions arising at this meeting," he said.
The PCI council's decision this year to create a new category of meeting attendee, the “internal security assessor,” has been "really exciting," Russo noted. "The rise of these people inside organizations that act as liaisons with vendors and others for PCI compliance is turning out to be one of the most interesting new developments within our organization. Its members have asked us to create a portal for them, enabling them to continue sharing information year-round."
Other PCI-compliance challenges persist for vendors of payment-security products and services and for merchants, attendees said.
Validating data for merchant clients is becoming increasingly complex because of changing policies at the companies that store, or host, merchants' card data, according to Donald Creary, senior security networking consultant with Digital Resources Group, a qualified security assessor whose Redwood City, Calif.-based company provides consulting.
"Data-center hosting companies increasingly are introducing their own risk policies and new services that are making it harder (for us) to execute PCI requirements involving physical access to the locations where data is stored," Creary said. "Barriers include restrictions on when we can get inside these locations, who accompanies us, and how much time we can spend there, which raises barriers to doing our job and ultimately will cost the client (merchants) more."
The need for PCI compliance has never been more acute, but the barriers to entry for those providing related software and new technology are rising, Rick Evans, PCI compliance director at Newark, Calif.-based Payment Processing Inc., which services a range of merchants, told ISO&Agent Weekly. "It is increasingly complex to develop products that help merchants comply with PCI, and even in light of emerging new standards, it actually seems at times as if there is more ambiguity than ever about what exactly is the best and most efficient path (for merchants) to pursue in order to become PCI-compliant," he said.
