This article can also be found in the Premium Editorial Download "Information Security magazine: Effectively navigating the security risk assessment process."
Download it now to read this article plus other related content.
After issuing validation requirements for hardware-based point-to-point encryption, the PCI Security Standards Council is now developing a new program to certify
Bob Russo, general manager of the PCI SSC, says the program will be modeled after certification procedures used for payment applications and PIN pad devices. The point-to-point encryption certification program will focus on securing and monitoring the hardware, developing and maintaining secure applications, and secure key management methodologies.
“We looked at existing standards and referenced some best practices to come up with this program and certify some of these things,” Russo says. “I want to caution that anybody who thinks they are going to pick out a solution from this list and automatically be compliant is going to be surprised; there are still PCI compliance activities at the foundation of what they’ve got to do.”
Point-to-point or end-to-end encryption has been touted by providers as a way to eliminate credit card data from merchant systems and streamline PCI compliance. Early adopters have deployed the technology to encrypt cardholder data from the time a credit card is swiped at a point-of-sale terminal, to the time it reaches a card processor. Russo says the certification program is important because merchants have had no easy way to verify the claims made by point-to-point encryption providers or determine whether the technology will reduce the scope of a PCI DSS assessment.
The new program will initially certify hardware-based point-to-point encryption systems. It will eventually be expanded to include hybrid and software-based encryption technologies, Russo says. Hardware-based point-to-point encryption systems use PIN transaction security (PTS) devices combined with hardware security modules, which perform the decryption.
Guidance documents and certification lists help reduce the confusion for merchants, says Russell D. Vines, qualified security assessor (QSA) and chief security advisor for Montvale, N.J.-based consultancy Gotham Technology. Vines says he has seen software vendors successfully dupe companies into purchasing poorly configured security software. A list of certified products is a good starting point and could reduce fraud, he says.
“It helps because the whole environment of the number of devices is so enormous that one QSA couldn’t be completely knowledgeable in everything,” Vines says. “My clients seem to like the guidance because it makes it a lot easier for them to navigate the path to certification. They can get their infrastructure assessed faster, easier and with fewer headaches.”
The goal of the council’s point-to-point encryption guidance is to define the minimum criteria for taking systems out of scope, says Richard Moulds, vice president of product strategy at Florida-based Thales e-Security, which sells the hardware security modules used in the encryption process. Moulds took part in the working group that helped create the validation requirements, which will be the basis for the certification program. Early adopters of the technology have had to work hard to convince QSAs that certain systems were out of scope of an assessment, Moulds says.
“Enterprises are desperate to find ways of taking applications and domains that have no ability to see any cardholder data out of scope,” Moulds says. “Up until now, enterprises relied on convincing the QSA that [point-to-point encryption] is being done properly.”
Robert Westervelt is the news director of SearchSecurity.com. Send comments on this article to firstname.lastname@example.org. Send comments on this article to email@example.com.
This was first published in October 2011