PCI Council - Guidance on End-to-End Encryption

2010 RSA Security Conference
The PCI Security Standards Council is researching emerging technologies and plans to issue a guidance document on end-to-end encryption in the next version of the PCI Data Security Standards (PCI DSS) expected for release in October.

It is reported that Bob Russo, general manager of the PCI Council, said researchers are preparing documentation on what he calls the latest industry "big buzz word." Other technologies they are researching include tokens, chip and PIN technologies. These are used to protect credit card data and how virtualization affects data protection technologies.

When asked the question by a reporter at RSA conference Russo reported the following updates on the PCI standard:

ADOPTION
Bob Russo: In 2009 we were seeing a lot of uptake on the standard. Since it's a global standard, we're seeing it throughout the world. We're doing lots of training and lots of awareness-type seminars for literally every place around the world. All of our training is pretty much sold out. This year we've had to add training sessions so people can understand what the standard is and get better prepared for an assessment. So overall 2009 was a very good year for the Council, but 2010 is a very busy year for us. We're releasing three standards this year in eight different languages, so we're working hard.

NEW TECHNOLOGY
Russo: We're studying a couple of technologies right now to give additional guidance on them hopefully this year when we release the standard. Chip (chip and PIN) [is being studied] as an initial technology, because chip is a mature technology. There's a lot known about the technology. We have a lot of experience with it outside the United States, so we're looking at chip and we're actually mapping how chip would compare with the standard. We certainly don't think that there's a silver bullet in any of these technologies, whether it is chip and PIN, end-to-end encryption as the buzz word goes, tokenization or anything of that nature.

The second technology is encryption. Russo does not like the term end-to-end encryption. Whether it is point-to-point encryption, account data encryption or transaction-based encryption, whatever it ends up being, they will be mapping that as well. Then they will be moving towards technologies such as tokenization and virtualization.

The PCI Council is creating a framework right now where they map these technologies out and lay them next to the standards, so if a company is using one of these technologies, the framework will let them know if they would satisfy certain PCI requirements.

Summary of Interview
2010 REVISIONS
As far as revisions or 2010 - At this point they are collecting feedback which will close at the end of April. The feedback touch points are how to best protect the data and then how much will this cost a merchant, the return on investment and whether there's anything that changes, fundamentally, the way the merchant will do business to comply.

It is reported, by Bob Russo, that they wont require something that changes the fundamental way a merchant does business. They are not going to put existing compliant merchants out of compliance. Ideally they will issue a guide for best practice for a certain period of time.

END-TO-END ENCRYPTION
Another question from merchants is with end-to-end encryption one of the questions is from what end to what end? Well - this is key. There are no standards yet for this type of encryption and how the keys are handled. If you are not careful you can end up making things less secure.

INTEGRATED SOLUTIONS
There are a dozen solutions on the market. The questions are - Do they talk to each other? Are they interoperable? What if a merchant is using more than one? All of these things will need to be considered.
What the PCI council plans to study is an encryption solution and the minimum level of things that need to be done with an encryption solution. Once this is defined they will then put out some guidance- but nothing specifically in the standard itself.

TOKENIZATION
Tokenization is making its way into emerging encryption products. The PCI council doesn't see themselves requiring any kind of tokenization, end-to-end encryption or chip technology in this version. However, the will issues guidance on them. Russo: If a merchant has already started down a path and spent some dollars on one technology, certainly it would not be in our best interest to say "you chose the wrong technology now you need to use this technology." So there will be guidance on each one of these things that we roll out.

DON'T PANIC - YET
In the last version of the standard, requirement 6.6 was a best practice for 18 months. It's still too early to tell if this will be a version 2 or a version 1.3.