By Sue Zloth
I’ve been waiting for some time to read this document. Yesterday, the PCI Council released the first in a series of documents that will delve into the issue of encryption as it impacts PCI DSS and scope reduction.
Being the first document in a series, it is a good start, but it really doesn’t provide too many details or specifics. But it does indicate that the Council is looking at establishing an evaluation process for products supporting end-to-end encryption (E2EE).
The document also offers merchants an understanding of what they should be evaluating to determine if an E2EE /P2PE solution may simplify PCI DSS compliance for their environment. It is critical that merchants understand their entire card transaction environment. As sensitive card holder information travels through the system and is identified, merchants must have a realistic understanding of the threats involved and put in place risk management measures that are appropriate.
Minimizing data within the environment can limit the scope of a PCI DSS assessment. But the big question is whether or not an encryption solution can simplify PCI DSS compliance.
We believe that encryption is one of the ways to do this, although, as we’ve stated before, it is most effective when layered with tokenization. According to the document, encrypted data is out of scope only if the encryption and decryption keys are not held by the same organization. But what Bob Russo and Troy Leach, CTO of the PCI Data Security Standards Council have made clear is that validating correct implementation of each layer of security is the most likely way to reduce the scope.
I am now even more curious to read the next document in this series, Validation Requirements for Point-to-Point Encryption, which is not expected to be released until 2011. Stay tuned for more on this topic, and if you have your own thoughts on the document after reading it, please share them below.
Merchant Link Security Cents News: Do you need to replace your merchant services POS system or migrate your system to the cloud? We have relationships with most of the top rated credit card processors to improve your business and cash flow. Contact Merchant Link today and see how we can improve your bottom line and retain more customers.
[...] This post was mentioned on Twitter by securitypro2009 and Serge innocent, Merchant Link. Merchant Link said: PCI offers merchants guidance on how E2EE / P2PE may simplify compliance > http://bit.ly/bFmrOW [...]
[...] was brought in to sharp relief recently when the PCI Council released their first guidance document on Point to Point Encryption. At first I was a little mystified, had there been some [...]
[...] area of emerging technologies that will be front and center in 2011 is end-to-end encryption, which has been used to great effect in Europe by the larger adoption of PDQs and tokenization for [...]
[...] PCI Council Releases Guidance on Encryption for PCI DSS and Scope Reduction In October, The PCI Council released the first in a series of documents that delved into the issue of encryption as it impacts PCI DSS and scope reduction. Merchant Link’s Sue Zloth provided key insights into this guidance and how it provided merchants with an understanding of what they should be evaluating to determine if a point-to-point encryption solution will simplify PCI DSS compliance for their environment. Read the full post here. [...]
[...] fall the PCI Council announced guidance on point-to-point encryption (P2PE) to help merchants protect their customers’ payment card information. Since then, merchants [...]