PCI updates data encryption standard to increase product availability
In updating its point-to-point encryption standard, the PCI Security Standards Council says the resulting simplified validation process for component and software providers will result in more products available for cardholder data protection.
The new v3.0 encryption standard does not change the approach to security in that it adds only minor changes to requirements. Its main focus is adding program changes the council views as beneficial to the payments industry by doubling the amount of component providers that can validate against the standard.
A listing of the individual components available for P2PE makes it easier for a solution provider to be aware of the validated components in which to integrate their software.
“The council is committed to evolving its standards, programs and resources to help the industry innovate for payment acceptance in a secure manner,” Troy Leach, the PCI council's senior vice president, said in a Thursday press release. “The changes focus instead on providing the opportunity for new approaches in meeting the standard and will ultimately result in more PCI P2PE solutions available for merchants to use in protecting payment data and simplifying their PCI DSS efforts.”
A point-to-point encryption component and software cryptographically protect account data from the point where a merchant accepts the payment card to the secure point of decryption. When using P2PE, a merchant assures that cardholder data and sensitive authentication data is unreadable until it reaches a secure decryption environment. Ultimately, it makes data stolen in a breach less valuable if is intercepted when moving through a network.
Merchants can continue to use or currently deploy the P2PE v2.0 for its security benefits, as the v3.0 update essentially addresses the program validation process and gives providers and their merchant clients more options.