Few credit card tokenization projects are getting support from upper management, despite a high level of interest from enterprise security pros, according to a recent survey.
Overall, I think it’s an important point and I think the PCI Council really does have to get information out to merchants because things can get very complex very quickly.
Diana Kelley, partner, SecurityCurve
The survey, conducted in March by SearchSecurity.com, polled 119 IT security and compliance professionals who attended a TechTarget virtual seminar on the Payment Card Industry Data Security Standard (PCI DSS). Forty percent of those surveyed said they were using or plan to use tokenization as part of their PCI compliance initiatives.
Experts say the response is good news for vendors touting tokenization as a means to replace credit card data in payment environments. Tokenization is a mature technology used in a variety of formats to replace sensitive data. But the technology hasn’t gained much traction for use with payment systems. More than half of those surveyed (57%) said they don’t currently use tokenization to reduce audit scope.
“People realize the technology’s ability to reduce scope, but they haven’t gotten the support from above to implement it,” said Martin McKeay, a CISSP and PCI qualified security assessor based in Santa Rosa, Calif., who added that many of the tokenization implementations he’s seen have been “home brewed,” and not deployed as a compliance measure.
Survey participants indicated that additional information regarding tokenization would be needed before investing in the technology. Tokenization involves replacing credit card data with a unique identifier or token that could be fed into analytical systems and other processes to eliminate the need to store and access credit card data. The token would be useless in the hands of an attacker.
Last October the PCI SSC issued recommendations on point-to-point encryption (.pdf). At the time, the organization indicated additional guidance material addressing the use of tokenization was being finalized. The organization has so far balked at providing more information. Visa Inc. issued its recommended guidance, Tokenization Best Practices, last summer. Still, according to Mckeay, it would be helpful if the PCI Council would define a token and outline the kind of tokens and systems that are acceptable under the standard.
Diana Kelley, a partner with Amherst, N.H.-based consulting firm SecurityCurve, said that while guidance documents aren’t part of the official standard, they typically help define an emerging technology and help organizations determine the council’s direction for future versions of the standard. For now, organizations should be documenting a tokenization implementation and determining whether the acquirer/processor thinks the technology is an acceptable compensating control.
While adoption has been slow, Kelley said there are signs that the technology is gaining interest. At the 2011 RSA Conference, tokenization vendor nuBridges highlighted a merchant, Helzberg Diamond Shops Inc., which is using tokenization to reduce their PCI scope.
Virtualization guidance sought
Organizations are also seeking additional guidance on securing payment data in virtual environments, according to the survey. More than 30% of respondents said they were urgently awaiting new guidance from the PCI Security Standards Council’s Virtualization Special Interest Group.
Security experts say network traffic visibility between virtual machines is one of the biggest difficulties for firms that have migrated payment applications and point-of-sale data to virtual servers.
“People are waiting for guidance around how the hypervisor should be configured and what type of appropriate segregation and controls should there be around the environment,” said SecurityCurve’s Kelley. “
The PCI DSS offers few details about virtualization. Components of virtualization in the payment card environment are considered “in scope” for any review by a qualified security assessor (QSA). PCI DSS 2.2.1 allows one primary function per virtual system component. Security controls for virtual systems must be documented as well as roles and permissions and authentication procedures. The particulars regarding how sensitive data is protected and made inaccessible to the rest of the network are being left to the scrutiny of the QSA and the requirements of the acquirer/processor.
Kelley said some organizations are applying protections to virtual servers based on consultations with QSAs, while others are implementing controls they deem necessary from their own self-assessments, and, in the meantime, waiting for additional guidance from the PCI SSC.
The threat of being attacked is real because network monitoring sensors have trouble detecting traffic between virtual machines, Kelley said. If an attacker breaks into a less sensitive VM, Kelley said, a traffic sniffer can be deployed between a Web application payment service and the database, and slurp up credit card data.
“There’s potential for a problem, but there are ways to mitigate and control the threat,” Kelley said. “Overall, I think it’s an important point and I think the PCI Council really does have to get information out to merchants because things can get very complex very quickly.”
In addition, the majority of those surveyed indicated much of their spending is on continued testing and upkeep of security systems to maintain compliance. Others indicated money is being spent on encryption of data being transmitted on open networks and additional firewall protection to protect cardholder data. While more than half said spending at their organization was idle in 2010, a small number of people (20%) said their organizations increased spending significantly in 2010.