PCI Council: P2PE simplifies PCI DSS compliance
The group responsible for managing payment security rules plans to release two new guidance documents early next month assessing the impact of emerging data security technologies on payment card security.
One of the documents will focus on point-to-point encryption (P2PE), also commonly known as end-to-end encryption, an emerging technology used to mask cardholder data from point-of-swipe through processing. Properly implemented P2PE will allow merchants to reduce their scope in complying with the Payment Card Industry Data Security Standard (PCI DSS), Troy Leach, chief standards architect for the PCI Security Standards Council (SSC) said during a presentation at the PCI North American Community Meeting held on Wednesday in Orlando, Fla.
“That is a significant statement,” Leach said. “The PCI Council has never made this statement before – that through this effort you might be able to simplify your [PCI DSS] validation requirements.”
While P2PE can simplify PCI DSS compliance, it will not eliminate the need to maintain and validate compliance for all systems, Leach added. Also, the security of P2PE solutions will need to be validated against a set of testing criteria that is still in development.
The guidance document, set to be released Oct. 5, will provide an overview of the threats to P2PE solutions and explain how properly implemented P2PE can simplify PCI DSS compliance. Additionally, the document will lay out a road map for the creation of a common standard to validate the security of P2PE technologies.
Next year, the Council plans to release a separate document outlining the specific validation requirements that can be used to evaluate the security of P2PE technology, Leach said. There currently is no widely accepted method for validating the security of P2PE solutions.
“There is a desperate need for standardization in this space,” Leach said.
Meanwhile, the Council also plans to release on Oct. 5 a separate guidance document focused on EMV, a global standard for authenticating credit and debit card payments. EMV, which can significantly drive down face-to-face fraud, is based on chip card technology and can be enhanced with the use of a PIN to verify cardholders, Jeremy King, European regional director of the PCI SSC, said during a presentation Wednesday at the Community Meeting.
EMV and PCI DSS should complement each other and not be seen as competing standards, King said. Even in a mature EMV marketplace, alternative payment methods are available, so it is still necessary to have PCI DSS controls in place.
During the presentation, King also mentioned tokenization, the process of replacing card numbers with non-sensitive values. The Council plans to release a guidance document on tokenization to help merchants and others involved in the transaction process, Leach said. However, a definitive date for release of the tokenization guidance document was not given.
The guidance papers set to be released next month will not introduce any additional requirements to the PCI standards or endorse one technology over another, Leach said.
It is likely that references to emerging data security technologies will eventually be included in PCI DSS standards at some point, Jose Diaz, director of technical and strategic business development at data security company Thales, told SCMagazineUS.com on Thursday.
“They are being a little cautious and not trying to solve everything in one shot because it makes it more difficult for adoption,” Diaz said. “As these technologies start maturing, they will find their way, I believe, into the PCI DSS standards.”
Joshua Corman, research director of the enterprise security practice at analyst firm The 451 Group, who attended the Community Meeting, told SCMagazineUS.com on Thursday that he hoped the Council would provide guidance for other emerging technologies, such as virtualization and cloud computing.
“Modern enterprises are trying to save money by using virtualization and cloud, and when they ask their assessors if they can do so in a compliant manner the answer they get is ‘we don't know,'” Corman said.
In lieu of such guidance from the Council, some practitioners have deployed workloads in public clouds only to be found noncompliant when it came time for their PCI DSS assessment, he added.
Going forward, once an emerging technology is identified, the Council should provide at least provisional guidance more quickly, Corman said.
However, it is encouraging that the Council plans to release guidance on P2PE and EMV, he said. P2PE is a very effective and widely deployed security measure, and EMV has had a dramatic impact in the reduction of certain types of fraud in Europe. Its adoption should be accelerated, he said.
“I'm happy they are acknowledging the need to address emerging technology, but they need to be more aggressive and complete,” Corman added.
This week's Community Meeting brought together more than 1,000 individuals representing PCI Council participating organizations across security, payments, finance, retail and technology fields.