Wednesday, May 2, 2012
The PCI Security Standards Council released new point-to-point encryption requirements for hardware-based solutions April 27, 2012. The new requirements augment the PCI Point-to-Point Encryption Solution Requirements released by the council in September 2011.
PCI SSC General Manager Bob Russo said the updated point-to-point encryption requirements bring the council "one step closer to helping merchants take advantage of this technology to simplify PCI DSS validation efforts and mitigate potential breaches."
The new requirements add clarification, guidance and program information to the encryption program requirements. They include:
A summary of the requirements can be viewed at: www.pcisecuritystandards.org/documents/P2PE_v1-1_summary_of_changes.pdf .
The PCI SSC also outlined security testing procedures and offered training for technicians implementing the new requirements. As part of this, eligible security companies may qualify to have employees trained as Qualified Security Assessors and have Payment Application Qualified Security Assessors certified to assess compliance with the point-to-point encryption standard.
Training sessions are scheduled May 11 to 13, 2012, in Denver and June 25 to 27 in Manchester, England. For more information or to register for the training, visit www.pcisecuritystandards.org/training/p2pe_training.php .
The PCI SSC said once assessors are trained and solutions validated, it will provide merchants a list of validated secure solutions that will reduce merchants' PCI scope. The council intends to release a new self-assessment questionnaire and attestation of compliance later this spring. It will simultaneously release a point-to-point encryption program guide.
The PCI SSC will now turn its attention to requirements for hardware-based encryption and decryption solutions that use software to manage transaction-level decryption. It will also study requirements for software solutions that encrypt data at the POS and decrypt data at a host system.
Doug Klotnia, Executive Vice President of Payment Services for Trustwave, a data security and compliance management firm, said the PCI SSC is right to issue guidelines. He noted it should create further security standards for today's rapidly evolving payment market, where mobile devices and other nonstandard, often software-based, POS devices that were not necessarily built for payments are carving out a significant place in the payments environment.
"Software-based encryption has been around for a long time," Klotnia said. He believes secure solutions are both possible and needed to "enable more merchant devices more convenient ways to deliver business more securely." He added that as long as there is "no standard there is no additional security in that environment."
Matthew Mudd, President of Phoenix Managed Networks, a POS network security firm, said, "While point-to-point encryption technically reduces scope, the number of moving parts to properly outsource an encrypted system is daunting. Merchants also must continue to maintain physical network segmentation between point-to-point encryption environment and everything else they do over the Internet."
Mudd added that point-to-point encryption is not a silver bullet for merchant compliance. "Merchants will need to follow solution provider instructions carefully," he said. "Merchants have to remember – connecting payment devices to the Internet puts them on the same network as hackers all over the world who make sport and business of cracking into systems. Protection of cardholder data in such an environment requires multiple layers of security and constant vigilance."
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.