PCI Security Standards Council general manager Bob Russo said the next revision of the Payment Card Industry Data Security Standard (PCI DSS), due in October, will contain clarifications but no major changes to the standard.
"End-to-end encryption is a catchphrase because at a certain point along the line, the data needs to be decrypted."
Bob Russo, General Manager, PCI SSC
"There won't be any surprises," Russo said. "We're more likely to see guidance documents."
Encryption, virtualization and the use of more secure payment terminals are expected to gain more attention. Those topics have been the focus of several special interest groups managed by PCI SSC and a study of emerging technologies to help shape future versions of the standard, Russo said. The organization is also ruminating Chip and PIN technology, though no PCI DSS revisions are anticipated on the issue in 2010.
PCI DSS related information:
PCI Council issues priority tool for compliance: A PCI compliance tool walks companies through the compliance process by meeting six milestones set by weighing risk and threat factors.
Heartland breach highlights PCI limitations: The benefits of complete PCI and the necessity of full compliance are now being widely questioned, says Eric Ogren, principal analyst, The Ogren Group.
PCI DSS changes take place on a two-year revision schedule, with the last major update released in 2008. The organization gathers about four months of feedback from council members followed by a meeting of its Board of Advisors in which any proposed changes are put in place. A draft revision of the new standard is due in May, and the organization will gather any remaining feedback at its community meetings in September. The updated PCI DSS standard would be finalized and made public by mid-October, along with any revisions made to the Payment Application Data Security Standard (PA DSS), Russo said. A revision to the PIN Entry Device Security Requirements, also maintained by the organization, is due in April.
Rather than a major PCI DSS revision, this year the council expects to release guidance documents to help merchants being bombarded by vendors with new card data protection technologies.
A topic deserving further study is end-to-end encryption, Russo said. Robert Carr, CEO of Heartland Payment Systems Inc., which announced last year that it suffered a massive breach as a result of a SQL injection flaw, has been pushing the industry to adopt more comprehensive encryption measures. Heartland has worked with Voltage Security Inc. to develop its E3 secure payment system. But Russo said the term "end-to-end encryption" hasn't been clearly defined and added that tokenization, a facet of a payment strategy being introduced by EMC Corp.'s RSA security division and payment processing giant First Data Corp., introduces similar security issues.
"End-to-end encryption is a catchphrase because at a certain point along the line, the data needs to be decrypted," prompting key management questions, Russo said. "Key management introduces a whole new series of issues that could cause you to be less secure."
Russo said he doesn't expect an end-to-end encryption special interest group will study the issue. Instead encryption within the payment process will be addressed when other technologies that affect the payment process are identified and studied. The Virtualization Special Interest Group, due to recommend guidance in March on protecting card data within virtualized environments, will address the role of encryption as well, Russo said.
"Unfortunately there are so many different technologies that merchants may have started down the path with that we need to be careful and study them before prescribing them in the standard," Russo said.
Chip and PIN technology is also gaining increased attention among the card brands, Russo said. A special interest group is studying Chip and PIN, which is popular in Asia, Europe and being phased in at payment terminals in Canada. The technology replaces the magnetic strip on the back of a card with an embedded microchip and adds a four-digit PIN to confirm a payment. The issue is being pushed by lawmakers. At a congressional subcommittee hearing on the adequacy of PCI DSS to protect cardholder data, several lawmakers called on the industry to move forward with Chip and PIN to reduce data theft and bolster the protection of transactions.
"The rest of the world is using some form of Chip and PIN so we can't ignore it," Russo said. "It's an enormous endeavor and implementing this poses huge costs."