The PCI Security Standards Council issued point-to-point encryption validation requirements as part of a new program that aims to provide merchants with a list of certified products.
Merchants think that buying point-to-point encryption solutions will reduce the scope of what they’re doing and that’s not always the case.
Bob Russo, general manager, PCI SSC
The PCI encryption requirements document, PCI Point-to-Point Encryption Solution Requirements, was released this week and provides vendors, assessors and merchants, with guidelines for hardware-based point-to-point encryption implementations that support PCI DSS compliance. The Council said its requirements focus on ways to secure and monitor the hardware, develop and maintain secure applications, and use secure key management methodologies.
Point-to-point or end-to-end encryption providers have been touting the benefits of encrypting cardholder data from the time a credit card is swiped at a point-of-sale device to the time it reaches a card processor. But merchants have had no easy way of evaluating individual providers to determine whether the equipment, applications and capabilities meet PCI DSS requirements from the time credit card data is captured to its transmission to a processor and bank systems. The problem has resulted in some high-profile data security breaches that highlighted some holes in PCI assessments and so-called end-to-end encryption implementations.
Last year the Council called point-to-point encryption implementations too immature to properly evaluate. Bob Russo, general manager of the PCI SSC, said that many merchants have purchased and deployed hardware-based point-to-point encryption systems, prompting the PCI Council to create the validation program. Testing procedures will be released later this year followed by a new training program for qualified security assessors, Russo said. A certified list of systems will be produced in the spring of 2012.
“Merchants think that buying point-to-point encryption solutions will reduce the scope of what they’re doing and that’s not always the case,” Russo said. “We know people are buying this right now so we wanted to make sure we produced something meaningful as well as a program that certifies some of these things.”
The first phase of the point-to-point encryption program is to focus on requirements for implementations that combine hardware-based encryption PIN transaction security (PTS) devices, where the card is swiped, with hardware security modules, where the decryption takes place. In the second phase, validation requirements will address hybrid systems and pure software point-to-point encryption deployments, Russo said.
The validation document lays out six areas that will be assessed in a point-to-point encryption implementation. The Council will oversee evaluation of the security controls used on the hardware, the applications within the hardware, the environment where encryption hardware is present, the transmissions between the encryption and decryption environments, the decryption environment itself and the key management operations.
The document lays out the responsibilities of device manufacturers, application vendors and point-to-point encryption vendors. It combines validation programs run under the Payment Application Data Security Standards (PA-DSS) and the PCI PIN Transaction Security laboratory, which currently tests point of interaction devices.
A Qualified Security Assessor will evaluate the complete deployment to ensure the hardware, applications and key management processes fully protect card holder data by meeting the PCI DSS requirements, according to the document.
A fully validated point-to-point encryption implementation will reduce the scope of PCI DSS on a merchant’s systems, but the PCI Council cautions that merchants would still be required to be evaluated against PCI DSS to ensure the system is being secured and maintained.
“This scope reduction does not entirely remove or replace all of a merchant‘s PCI DSS compliance or validation obligations,” according to the PCI point-to-point encryption validation document. “Applicable requirements covering the education of staff handling account data, security policies, third-party relationships, and physical security of media will still apply to merchants that have implemented a validated P2PE solution.”