The time to prepare for EMV and advanced encryption appears to have arrived.
The Payment Card Industry Security Standards Council on Sept. 23 gave attendees at its Community Meeting in Orlando, Fla., an early peek at new guidance to be released Oct. 5 that charts how the Wakefield, Mass.-based council envisions its standards interacting with EMV chip-and-PIN and advanced encryption efforts.
EMV has its own standards body, United Kingdom-based EMVCo, and no uniform approach exists for advanced encryption across the payments industry.
The council’s guidance emanates from the philosophy that defending payment card data takes depth, Troy Leach, the council’s chief technology officer, told PaymentsSource during the council’s meeting. “You can’t rely on a single point of defense,” Leach says.
For example, an EMV transaction requires the personal account number to be unencrypted so it can be authenticated at the point of sale. Merchants relying solely on EMV technology increase their risk by also not taking measures to protect the sensitive card data, Leach says.
Many merchants use more than one method to complete a sale, and that is an important reason why EMV-accepting merchants should comply with PCI standards, says Jeremy King, the council’s European regional director. “There is more than one area where they have to look at all of the data,” he says.
The time also is right to begin addressing how the council’s standards interact with the encryption services many vendors are selling, King says.
And merchants and others in the payments industry want some guidance. “We’re looking at that because we’re being asked to by our participating organizations,” King says.
Moreover, no standards exist that define “end-to-end” encryption, and there are no ways to validate protection claims, he says.
The council’s guidance on what it instead calls point-to-point encryption could be the start of way to validate encryption claims, Leach says.
Indeed, validation is essential because not all security algorithms and encryption processes are created equal, Leach says. A faulty implementation can defeat the benefit of the service, he notes.
As the payments industry and merchants review and express feedback to the council’s new guidance, the council will have to coordinate its work with other standards organizations, such as the Accredited Standards Committee X9 Inc., which oversees many financial-services standards, Jose Diaz, director of technical and strategic business development at Thales e-Security, tells PaymentsSource.
“In the Data Security Standard, the council is not calling for specific requirements, but (instead is) issuing general guidance,” Diaz says, noting other standards bodies will address specific requirements for various technologies.
“The PCI DSS provides that framework that anyone trying to address security and compliance can follow,” he says.
The PCI council’s new guidance is significant and timely, says George Peabody, director of emerging technologies at Maynard, Mass.-based Mercator Advisory Group Inc.
Inspired by the emerging use of EMV and advanced encryption, the guidance, could herald the beginning of a shift to dynamic card data, he says. Payment card data currently are static in that at any point in the transaction lifecycle the card stays the same. In a dynamic system, a transaction is assigned a unique identifier so the actual card number is not transmitted.
“Dynamic data adds a whole level of security we didn’t have at the edge of the network,” Peabody says, referring to the point where a consumer makes a transaction.
Such a migration could take from five to 10 years, even if started today, “which still leaves a gaping hole and which is why tokenization and encryption have a role to play now,” he says.
Visa Inc. issued tokenization best practices in July (see story).
The PCI council says its upcoming guidance speaks to its future approach to payment-data security. An outline for how the council will approach these technologies is included in its guidance on point-to-point encryption.
“This is the first time anyone has given a roadmap on this,” King says.
What do you think about this? Send us your feedback. Click Here.