Leach commented that without a global standard, there is no opportunity to ensure consistency or to evaluate implementation of the technology in terms of the PCI standards. The council is working on criteria to validate the performance of the P2PE technology that could form the basis of this global standard. The criteria are expected to be issued next year.
“The area that we are contacted most about is the consistency of [security] assessments. The challenge of not having a global standard is substantial for assessing this environment….After examining a number of assessments, we discovered that there was no consistency in how assessors were looking at the process", Leach noted.
"There were elements of the systems that we would have expected to be checked that just weren’t validated. The greatest challenge is the absence of testing procedures; without testing procedures, there cannot be consistency; without consistency, there cannot be a level of confidence…that the [card] information is being protected to the same level as the PCI standard”, he said in an interview with Infosecurity.
The council has recently published white papers that provide guidance for payment card companies, encryption vendors, and merchants to ensure that the P2PE and EMV (smart card) technologies being used to secure payment card transactions comply with the council’s Payment Card Industry Data Security Standard (PCI DSS). The guidance is designed to simplify the process of adopting these emerging technologies.
Leach said that merchants tend to think that, if they have in place encryption or smart card technology that makes the transaction more secure, they do not have to pay as much attention to complying with the PCI DSS. “But the encrypted information is still sent in the clear, and there are still opportunities to compromise that information”, he stressed.
The two white papers are primarily intended to help the merchant community do the following:
- Understand how these technologies help define or reshape the cardholder data environment
- Evaluate the impact of these technologies on PCI DSS compliance efforts
- Identify future potential for P2PE and EMV technologies
Another white paper, expected out in the near future, provides guidance for tokenization standards. Tokenization takes a card number and turns it into a surrogate value that represents the card number, but with no ability to determine the card number from the surrogate value. “Tokenization is the process of how you get from a credit card number and turn that into a surrogate value that cannot be reversed”, Leach explained.
Tokenization is used by merchants who are doing follow-up to a particular transaction, such as providing a refund. By using the surrogate value, the merchant does not have to retain the credit card number in its system, he said. A working group is currently drafting the guidance.
The council is revising its main standards documents: PCI DSS, the PIN Transaction Security (PTS) requirements, and the Payment Application Data Security Standard (PA DSS). The PTS requirements were updated earlier this year. The council expects the revisions of the PCI DSS and PA DSS to be ready by the end of October, according to Jeremy King, the council’s European regional director.