Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

By Sue Zloth

I’ve been waiting for some time to read this document.  Yesterday, the PCI Council released the first in a series of documents that will delve into the issue of encryption as it impacts PCI DSS and scope reduction.

Being the first document in a series, it is a good start, but it really doesn’t provide too many details or specifics. But it does indicate that the Council is looking at establishing an evaluation process for products supporting end-to-end encryption (E2EE).

The document also offers merchants an understanding of what they should be evaluating to determine if an E2EE /P2PE solution may simplify PCI DSS compliance for their environment.  It is critical that merchants understand their entire card transaction environment.  As sensitive card holder information travels through the system and is identified, merchants must have a realistic understanding of the threats involved and put in place risk management measures that are appropriate.

Minimizing data within the environment can limit the scope of a PCI DSS assessment.  But the big question is whether or not an encryption solution can simplify PCI DSS compliance.

We believe that encryption is one of the ways to do this, although, as we’ve stated before, it is most effective when layered with tokenization.    According to the document, encrypted data is out of scope only if the encryption and decryption keys are not held by the same organization.  But what Bob Russo and Troy Leach, CTO of the PCI Data Security Standards Council have made clear is that validating correct implementation of each layer of security is the most likely way to reduce the scope.

I am now even more curious to read the next document in this series, Validation Requirements for Point-to-Point Encryption, which is not expected to be released until 2011.  Stay tuned for more on this topic, and if you have your own thoughts on the document after reading it, please share them below.

Powered By DT Author Box

Written by Merchant Link Staff

Merchant Link Staff

Merchant Link’s SecurityCents blog is essential reading for merchants in the retail, lodging, and restaurant industries looking to secure their customers’ credit card data. Check the blog regularly to read what our industry experts have to say about the latest developments in the world of payments, payment data security and technology, PCI compliance, and more. We invite you to leave comments and share your insights and opinions.

Comments

There are 5 comments for this post.

  1. Tweets that mention Merchant Link SecurityCents :: Encryption PCI Compliance :: PCI Council Releases Guidance on Encryption for PCI DSS and Scope Reduction -- Topsy.com on October 6, 2010 12:08 pm

    [...] This post was mentioned on Twitter by securitypro2009 and Serge innocent, Merchant Link. Merchant Link said: PCI offers merchants guidance on how E2EE / P2PE may simplify compliance > http://bit.ly/bFmrOW [...]

  2. Merchant Link SecurityCents :: Encryption :: Acronym Alphabet Soup on October 14, 2010 8:13 am

    [...] was brought in to sharp relief recently when the PCI Council released their first guidance document on Point to Point Encryption.   At first I was a little mystified, had there been some [...]

  3. PCI: A Year in Review « SecureThinking on December 22, 2010 1:06 pm

    [...] area of emerging technologies that will be front and center in 2011 is end-to-end encryption, which has been used to great effect in Europe by the larger adoption of PDQs and tokenization for [...]

  4. Merchant Link SecurityCents :: Encryption Featured PCI Compliance Tokenization :: SecurityCents Looks Back at Most Popular Blog Posts in 2010 on January 18, 2011 1:44 pm

    [...] PCI Council Releases Guidance on Encryption for PCI DSS and Scope Reduction In October, The PCI Council released the first in a series of documents that delved into the issue of encryption as it impacts PCI DSS and scope reduction. Merchant Link’s Sue Zloth provided key insights into this guidance and how it provided merchants with an understanding of what they should be evaluating to determine if a point-to-point encryption solution will simplify PCI DSS compliance for their environment.  Read the full post here. [...]

  5. Merchant Link SecurityCents :: Tokenization :: Devaluing your data with tokens on February 21, 2011 9:22 am

    [...] fall the PCI Council announced guidance on point-to-point encryption (P2PE) to help merchants protect their customers’ payment card information. Since then, merchants [...]

Write a Comment