Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Bob Russo

PCI Security Standards Council publishes third-party security assurance guidance

The PCI Security Standards Council and a PCI Special Interest Group (SIG) consisting of merchants, banks and third-party service providers have produced an information supplement which provides recommendations for meeting PCI Data Security Standard (PCI DSS) requirement 12.8 and helps to ensure payment data and systems entrusted to third parties are maintained in a secure and compliant manner. 

Breach reports continue to highlight security vulnerabilities introduced by third parties as a leading cause of data compromise. According to a 2013 study1 by the Ponemon Institute, the leading mistake organizations make when entrusting sensitive and confidential consumer information to third-party vendors is not applying the same level of rigor to information security in vendor networks as they do in their own. 

Per PCI DSS Requirement 12.8, if a merchant or entity shares cardholder data with a third- party service provider, certain requirements apply to ensure continued protection of this data will be enforced by such providers.  

The Third-Party Security Assurance Information Supplement focuses on helping organizations and their business partners achieve this by implementing a robust third-party assurance program. Produced with the expertise and real-world experience of more than 160 organizations involved in the Special Interest Group, the guidance includes practical recommendations on how to:

  • Conduct due diligence and risk assessment when engaging third party service providers to help organizations understand the services provided and how PCI DSS requirements will be met for those services.
  • Implement a consistent process for engaging third-parties that includes setting expectations, establishing a communication plan, and mapping third-party services and responsibilities to applicable PCI DSS requirements.
  • Develop appropriate agreements, policies and procedures with third-party service providers that include considerations for the most common issues that arise in this type of relationship.
  • Implement an on going process for maintaining and managing third-party relationships throughout the lifetime of the engagement, including the development of a robust monitoring program. 

The guidance includes high-level suggestions and discussion points for clarifying how responsibilities for PCI DSS requirements may be shared between an entity and its third-party service provider, as well as a sample PCI DSS responsibility matrix that can assist in determining who will be responsible for each specific control area. 

PCI Special Interest Groups are PCI community-selected and developed initiatives that provide additional guidance and clarifications or improvements to the PCI Standards and supporting programs. As part of its initial proposal, the group also made specific recommendations that were incorporated into PCI DSS requirements 12.8 and 12.9 in version 3.0 of the standard. 

“One of the big focus areas in PCI DSS 3.0 is security as a shared responsibility,” said Bob Russo, PCI SSC General Manager. “This guidance is an excellent companion document to the standard in helping merchants and their business partners work together to protect consumers’ valuable payment information.”  

The Third-Party Security Assurance Information Supplement is available on the PCI SSC website.

Also look at my PCI resources page as it is often easier to find thing there.

Advertisements

PA DSS and PCI DSS version 3.0 now available in 9 languages

The PCI Security Standards Council (PCI SSC), have announced that the PCI Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS) 3.0 are now available in nine languages.

“It’s important that organizations around the globe have the resources they need to protect card data,” said Bob Russo, general manager, PCI Security Standards Council. “We’re happy to make the PCI Standards available in a number of languages to assist organizations as they work to make payment security part of their business-as-usual practices.”

PCI DSS and PA-DSS 3.0 were published in November 2013, with updates made based on feedback from the Council’s global constituents and response to market needs.

Over 50% of this feedback came from outside of the U.S., emphasizing the Council’s active international membership base.

The PCI SSC website supports translated pages and PCI materials including the new PCI DSS v3.0 and PA-DSS v3.0 in the following languages:

  • Chinese
  • French
  • German
  • Italian
  • Japanese
  • Portuguese
  • Russian
  • Spanish

“We continue to be encouraged by the growing participation from global stakeholders in PCI Standards development, said Jeremy King, international director, PCI Security Standards Council. “We’re optimistic that these translations will increase awareness and adoption of the standards and drive improved payment security.”

PCI Security Standards Council announces new board of advisors

The PCI Security Standards Council (PCI SSC), announced election results for the 2013-2015 PCI SSC Board of Advisors.

The Board will represent the PCI community by providing counsel to SSC leadership.

The Council’s more than 690 Participating Organizations selected individuals from the following organizations to represent their industry’s unique perspectives in the development of PCI Standards and other payment security initiatives:

  • Bank of America N.A.
  • Bankalararasi Kart Merkezi
  • Barclaycard
  • British Airways PLC
  • Carlson
  • Cartes Bancaires Cielo S.A.
  • Cisco
  • Citigroup Inc.
  • European Payment Council AISBL
  • FedEx
  • First Bank of Nigeria
  • First Data Merchant Services
  • Global Payments Inc.
  • Ingenico
  • Micros
  • Middle East Payment Systems
  • PayPal Inc.
  • Retail Solutions Providers Association
  • RSA, The Security Division of EMC
  • Starbucks Coffee Company
  • VeriFone Inc.
  • Wal-Mart Stores, Inc
  • Woolworths Limited

Board of Advisor members provide strategic and technical input to PCI SSC on specific areas of Council focus. Past board members have provided reach into key industry verticals and geographies to help raise awareness and adoption of PCI Standards; have shared their experience with implementing PCI Standards in presentations at the annual Community Meetings; and have contributed guidance on training product development and led Special Interest Groups (SIGs).

Active involvement from our Participating Organization base is critical to ensuring the PCI Standards remain at the front line for protection against threats to payment card data. Once again I am impressed by the turn out in the election process. It’s particularly encouraging to see new markets looking towards open global standards like the PCI Standards to help secure payment card data worldwide,” said Bob Russo, general manager, PCI Security Standards Council.

The Council and wider stakeholder community will benefit from the breadth of experiences and perspectives that this new board represents.” The board will support the Council’s mission to raise awareness and drive adoption of PCI Standards worldwide and will kick off its work in June with its first face-to-face meeting with Council management. “This year saw more European involvement than ever in the Board of Advisors election process. Although Europe contains mature EMV markets, this level of involvement in the PCI SSC confirms that the combination of PCI Standards and EMV chip is a powerful force for protecting payment card data,” said Jeremy King, European director, PCI Security Standards Council. “Our new board is a truly global group, and the Council will benefit greatly from its input as we continue to drive awareness and adoption of PCI Standards worldwide.

.

PCI Security Standards Council publishes card production security requirements

The PCI Security Standards Council (PCI SSC), has announced the publication of a standard for secure payment card production.

The standard consists of two sets of requirements:

  1. PCI Card Production Physical Security Requirements
  2. PCI Card Production Logical Security Requirements

Together, these documents provide card vendors with a comprehensive source of information describing the security requirements to follow for card production activities including card manufacture, chip embedding, magnet-stripe encoding, embossing, card personalization, chip initialization, chip personalization.

Formerly managed as separate requirements by each payment card brand, the Council aligned these requirements and solicited feedback from the PCI community to produce one set of criteria recognized across the industry. The resulting standard is designed to secure the components and sensitive data involved in the production of payment cards and protect against the fraudulent use of card materials.

It’s broken down into two core areas:

  1. Physical security requirements – for all card vendors, these requirements address the presence, movement, and accountability of a card, including tangible features such as the security of the premises, personnel access to secure areas, and CCTV surveillance.
  2. Logical security requirements – for card personalization vendors, these requirements address threats to the confidentiality of personalization data during data transfer, access, storage, and destruction; and all aspects associated with cryptographic key management, including the protection of issuer keys used in the personalization process.

The security requirements are available for immediate download here. Vendors should work with the individual card brands to confirm timing for when future security reviews must be performed against the new PCI Card Production Security Requirements.

In line with other PCI Standards, the requirements will be updated on a three-year lifecycle, based on feedback from the PCI community.

There are a lot of pieces involved in securely producing payment cards, from design all the way through delivery,” said Bob Russo, general manager, PCI Security Standards Council. “The publication of these requirements gives card vendors one set of criteria to follow, and as we’ve seen with our other standards, will help drive improved security across the payments chain

PCI SSC releases PCI DSS Cloud Computing Guidelines

The PCI Security Standards Council has published the PCI DSS Cloud Computing Guidelines Information Supplement, a product of the Cloud Special Interest Group (SIG).

The guide is an excellent introduction to the “cloud” and offers specific and helpful guidance on what to consider when processing payments involving the cloud as well as the storage of sensitive data.

One of cloud computing’s biggest strengths is its shared-responsibility model. However, this shared model can magnify the difficulties of architecting a secure computing environment,” said Chris Brenton, a PCI Cloud SIG contributor and director of security for CloudPassage. “One of this supplement’s greatest achievements is that it clearly defines the security responsibilities of the cloud provider and the cloud customer. With PCI DSS as the foundation, this guidance provides an excellent roadmap to crafting a secure posture in both private and public cloud. 

The PCI DSS Cloud Computing Guidelines Information Supplement builds on the work of the 2011 Virtualization SIG, while leveraging other industry standards to provide guidance around the following primary areas and objectives:

  • Cloud Overview – provides explanation of common deployment and service models for cloud environments, including how implementations may vary within the different types.
  • Cloud Provider/Cloud Customer Relationships– outlines different roles and responsibilities across the different cloud models and guidance on how to determine and document these responsibilities.
  • PCI DSS Considerations – provides guidance and examples to help determine responsibilities for individual PCI DSS requirements, and includes segmentation and scoping considerations.
  • PCI DSS Compliance Challenges– describes some of the challenges associated with validating PCI DSS compliance in a cloud environment.

The document also includes a number of appendices to address specific PCI DSS requirements and implementation scenarios, including: additional considerations to help determine PCI DSS responsibilities across different cloud service models; sample system inventory for cloud computing environments; sample matrix for documenting how PCI DSS responsibilities are assigned between cloud provider and client; and a starting set of questions that can help in determining how PCI DSS requirements can be met in a particular cloud environment.

Merchants who use or are considering use of cloud technologies in their cardholder data environment and any third-party service providers that provide cloud services or cloud products for merchants can benefit from this guidance. This document may also be of value for assessors reviewing cloud environments as part of a PCI DSS assessment.

At the Council, we always talk about payment security as a shared responsibility. And cloud is by nature shared, which means that it’s increasingly important for all parties involved to understand their responsibility when it comes to protecting this data,” said Bob Russo, general manager, PCI Security Standards Council. “It’s great to see this guidance come to fruition, and we’re excited to get it into the hands of merchants and other organizations looking to take advantage of cloud technology in a secure manner.

For a link to the full document please use my PCI Resources page here.

.

PCI SSC releases its PCI DSS E-commerce Security Guidelines

Hot on the heels of the ATM Guidelines the PCI SSC has released the PCI DSS E-commerce Guidelines Information Supplement. 

The guidelines are designed to help e-commerce merchants to decide on which technologies and third party service providers to choose.

The e-commerce Special Interest Groups (SIGs) helped put the guidelines together and that meant using their knowledge of the marketplace to produce an industry specific document. 

Take SQL injections as an example. This is not a new attack, and something we’ve known about in the industry for years. Yet it continues to be one of the most common methods by which e-commerce websites are compromised, said Bob Russo, general manager, PCI Security Standards Council. “This can be addressed through simple, prudent coding practices, but merchants often don’t know where to start. These guidelines will help them better understand their responsibilities and the kinds of questions they need to ask of their service providers. In the case of SQL injections, one of the most important items to request of an e-commerce service provider is a description of the security controls and methods it has in place to protect websites against these vulnerabilities.

The PCI DSS E-commerce Guidelines Information Supplement provides an introduction to e-commerce security and guidance around the following primary areas and objectives: 

  • E-commerce Overview – provides merchants and third parties with explanation of typical e-commerce components and common implementations and outlines high-level PCI DSS scoping guidance to be considered for each.
  •  Common Vulnerabilities in E-commerce Environments – educates merchants on vulnerabilities often found in web applications (such as e-commerce shopping carts) so they can emphasize security when developing or choosing e-commerce software and services.
  • Recommendations – provides merchants with best practices to secure their e-commerce environments, as well as list of recommended industry and PCI SSC resources to leverage in e-commerce security efforts.

 The document also includes two appendices to address specific PCI DSS requirements and implementation scenarios:

  1. PCI DSS Guidance for E-commerce Environments – provides high-level e-commerce guidance that corresponds to the main categories of PCI DSS requirements; includes chart to help organizations identify and document which PCI DSS responsibilities are those of the merchant and which are the responsibility of any e-commerce payment processor.
  2.  Merchant and Third-Party PCI DSS Responsibilities – for outsourced or “hybrid” e-commerce environments, includes sample checklist that merchants can use to identify which party is responsible for compliance and specify the details on the evidence of compliance.

E-commerce continues to be a target for attacks on card data, especially with EMV technology helping drive so much of the face-to-face fraud down in Europe and other parts of the world, said Jeremy King, European director, PCI Security Standards Council. “We are pleased with this guidance that will help merchants and others better understand how to secure this critical environment using the PCI Standards.

For a link to the full document please use my PCI Resources page here.

PCI SSC releases its Best practices to help prevent card data compromise at ATMs

The PCI SSC has released their latest supplement, the ATM Security Guidelines Information Supplement. 

The guidelines were developed to provide guidance to ATM manufacturers on how to prevent credit cards from being compromised. 

The ATM Industry Association’s (ATMIA) 2012 ATM Global fraud survey reveals that skimming remains the leading global threat to ATMs because criminals use stolen information to produce counterfeit cards for fraudulent transactions, primarily ATM cash withdrawals. 

Also see Europol reveals €1.5 Billion Euro in Credit Card Fraud, how it is stolen and why they struggle to catch the criminals  

Skimming and other types of attacks on ATMs continue to be top of mind for our constituents,” said Bob Russo, general manager, PCI Security Standards Council. “There are already some excellent resources out there that help with various pieces of ATM security. What this guidance does is pull together these different best practices into one comprehensive set, which is what our stakeholders have been asking for.

The guidance document provides an introduction to ATM security and outlines best practices around the following key areas and objectives:

  • Integration of hardware components to avert magnetic-stripe and other account data compromise and PIN stealing
  • Security of basic software to avert magnetic-stripe skimming and PIN stealing
  • Device management/operation to ensure adequate management of: ATM during manufacturing, ATM in storage of deployed ATM estates and ATM’s individual security configuration
  • ATM application management to address security aspects of the ATM application.

ATM manufacturers, hardware and software integrators, and deployers of ATMs can use this guidance to aid in the secure development, deployment and maintenance of ATMs. As with all PCI guidance documents the ATM Security Guidelines Information Supplement does not replace or supersede the PCI Standards, nor is it to be used as a set of security requirements for the formal certification of ATMs. The PTS POI security requirements provide for the testing and approval of encrypting PIN pads and secure readers used in ATMS for handling PIN and account data, and organizations should continue to use this standard to address these components of ATM security.

For a link to the full document please use my PCI Resources page here.

.

Feedback requested from PCI community on best practices to help prevent card data compromise at ATMs

The PCI SSC is seeking feedback from Participating Organizations (POs) on draft ATM security guidelines. The draft information supplement provides best practices to mitigate the effect of attacks to ATMs aimed at stealing PIN and account data, a direct response to stakeholder feedback for guidance on ATM security.

Participating Organizations have until November 13, 2012 to review and comment on the ATM Security Guidelines Information Supplement, which is slated for final publication later this year.

PIN and account data present in ATMs has become a growing target for criminals who use this stolen information to produce counterfeit cards for fraudulent transactions, primarily ATM cash withdrawals. Purchases with PIN at the point of sale and purchases without PIN in card-not-present environments are also other avenues of fraudulent card activity.

PCI Standards currently address ATM PIN pads, but not the ATM as a whole. In the absence of a global industry standard for securing ATMs, the Council has developed a set of compromise-prevention best practices based on existing standards from a number of industries, including IT, security, payment card and ATM that stakeholders can leverage in their ATM security efforts.

The draft ATM Security Guidelines Information Supplement provides an introduction to ATM security and outlines best practices that address the software, hardware and device components of the ATM. The intent is for the final document to guide ATM manufacturers, hardware and software integrators, and deployers of ATMs in the secure development, deployment and maintenance of ATMs.

We rely on industry feedback to develop PCI Standards and resources, said Bob Russo, general manager, PCI Security Standards Council. By sharing an early version of the guidelines with the PCI community, we re aiming to ensure these best practices reflect the key challenges and areas of concerns when it comes to addressing ATM security. Specifically, we encourage ATM manufacturers and software vendors to provide their input, as experts in the space and as those will be applying these guidelines in their everyday business.

.

PCI Security Standard Council releases summary of feedback on PCI standards

The Payment Card Industry Security Standards Council releases a summary of feedback from the PCI community on the PCI Security Standards. The document highlights key themes coming out of the Council’s formal feedback period on version 2.0 of the PCI DSS and PA-DSS, in preparation for the next release of the standards in October 2013.

As part of the open standards development process for the PCI DSS and PA-DSS, the PCI Security Standards Council (PCI SSC) solicits input on the standards from its global stakeholders through a variety of avenues, including a formal feedback period. More than half the input received during the formal feedback period originated from organizations outside of the United States.

This industry feedback drives the on-going development of strong technical standards for the protection of cardholder data, providing more than 650 Participating Organizations, including merchants, banks, processors, hardware and software developers, Board of Advisors, point-of-sale vendors, and the assessment community the opportunity to play an active role in the improvement of global payment security. Payment security stakeholders can use the summary document to better understand the Council’s approach to reviewing and categorizing the feedback, key trends and themes, and how the feedback is being addressed.

The feedback was received by the Council across the following five categories:

  1. Request change to existing requirement/testing procedures (34%)
  2. Request for clarification (27%)
  3. Request for additional guidance (19%)
  4. Feedback only – no change requested (12%)
  5. Request for new requirement/testing procedure (7%)

Over 90% of the feedback was on the PCI DSS, the foundation for the Council’s standards, with more than half specific to the following topics:

  • PCI DSS Requirement 11.2 – Suggestions include prescribing use of specific tools, requiring ASVs to perform internal scans, and defining what constitutes a “significant change”.
  • PCI DSS Scope of Assessment – Suggestions for detailed guidance on scoping and segmentation.
  • PCI DSS Requirement 12.8 – Suggestions include clarifying the terms “service provider” and “shared,” and providing more prescriptive requirements regarding written agreements that apply to service providers.
  • PCI DSS SAQs – Suggestions for updating the SAQs; they are either too complex or not detailed enough.
  • PCI DSS Requirement 3.4 – Suggestions for further clarification and guidance since encryption and key management are complex requirements, and truncation/hashing & tokenization is not a convenient method to store and retrieve data
  • PCI DSS Requirement 8.5 – Suggestions for updating password requirements, including expanding authentication beyond just passwords; current password requirements are either too strict or not strict enough, be either less prescriptive or more prescriptive.

These trends and other highlights are provided in the summary document, including main PA-DSS feedback themes, breakdowns of the types of organizations that participated and geographic regions represented.

“Industry feedback is the lifeblood of the PCI Standards,” said Bob Russo, general manager, PCI Security Standards Council. “As the PCI community continues to expand across industries and geographies, the Council relies on its expertise to drive the evolution of the standards. I want to personally thank all who have contributed to the on-going development of these critical resources for payment security.”

.

Guidance for merchants on how to securely accept mobile payments the PCI way

This has been coming for a while but finally the PCI SSC has published a fact sheet outlining how merchants can securely accept payments using mobile devices such as smartphones or tablets.

The “At a Glance: Mobile Payment Acceptance Security fact sheet” provides merchants with actionable recommendations on partnering with a Point-to-Point Encryption (P2PE) solution provider to securely accept payments and meet their PCI DSS compliance obligations.The ability to use smartphones and tablets as point-of-sale terminals to accept payments in place of traditional hardware terminals offers great flexibility. As mobile technology continues to change at a rapid pace, the Council continues to work with the industry to ensure data security remains at the forefront of mobile evolution.

This latest educational resource is the product of the Council’s Mobile Working Group and is the result of valuable input from leading merchants, vendors and organizations actively involved in the mobile payment acceptance industry. The document helps clarify and distill some of the more complex technology and security terminology into straightforward, practical guidance that can help merchants to:

  • Better understand their responsibilities under PCI DSS, and how they translate to mobile payment acceptance
  • Leverage the benefits of the Council’s recently published Point-to-Point Encryption (P2PE) standard and program
  • Choose a mobile payment acceptance solution that complements the merchant’s PCI DSS responsibilities, for example a P2PE solution provider

Using this resource to guide them in how PIN Transaction Security (PTS) and P2PE standards work together, merchants can better understand how to securely use external plug-in devices with smartphones or tablets to accept payment cards by first encrypting and securing the data at the point that the account data is captured. The smartphone or tablet has no ability to decrypt the data, thus simplifying PCI DSS scope for the merchant.

“We know merchants are eager to take advantage of their existing smartphones or tablets to accept payment cards,” said Bob Russo, general manager, PCI Security Standards Council. “And the Council and its stakeholders want to help the market to do this in a secure way. We’re excited about this easy-to-use reference that will help merchants understand how to use the suite of PCI Standards to enable their businesses while still keeping data security top of mind.”

As with all SSC fact sheets, this guidance does not replace or supersede any of the PCI Standards

The Council continues to work with the payments community to address mobile payment acceptance security and evaluate whether additional requirements are needed in this area. As part of this ongoing initiative, the Council plans to publish best practices for securing mobile transactions later this year.

“The PTS and P2PE standards are being leveraged by mobile solution providers today. With this fact sheet we hope to help merchants understand how these standards work and the options that are available to them for accepting mobile payments in a secure and PCI DSS compliant manner,” said Troy Leach, chief technology officer, PCI SSC.

The link to the At a Glance: Mobile Payment Acceptance Security fact sheet is here.

PCI Security Standards Council announces qualified integrators and resellers certification program

The PCI SSC quotes results from the Trustwave 2012 Global Security Report which states that 76% of the breaches they investigated were a result of security vulnerabilities introduced by a third party responsible for system support, development and/or maintenance of business environments.

Errors introduced during implementation, configuration and support of PA-DSS validated payment applications by third parties into merchant environments was identified as a significant risk to the security of cardholder data. Specifically, small businesses in the food and beverage industry that rely heavily on outsourcing are particularly vulnerable, as they made up the bulk of the compromises.

To help address this security challenge, merchants, acquirers, payment software vendors and card brands participated in a Council taskforce to evaluate market needs and make recommendations on how to address them. This included development of more guidance and best practices for integrators and resellers and a global list of PCI Council certified integrators and resellers.

The Qualified Integrators & Resellers (QIR) program will provide integrators and resellers that sell, install and/or service payment applications on behalf of software vendors or others the opportunity to receive specialized training and certification on the secure installation and maintenance of validated payment applications into merchant environments in a manner that supports PCI DSS compliance. The PCI SSC will maintain a global list of QIRs, ensuring merchants a trusted resource for selecting PCI approved partners. The PCI SSC will be offering training online in late summer 2012, and the validated list for merchants will be published on the PCI SSC website shortly thereafter. More details on the program, including eligibility requirements and training course information and costs will be made available soon. In the meantime, those interested in participating in the program can click here or email questions to qir@pcisecuritystandards.org.

“Product solutions that are a good fit for a PCI compliant organization need to be installed, configured, and managed properly to support PCI DSS,” said Diana Kelley, principal analyst at security IT research firm SecurityCurve. “Integrators and resellers need to understand what makes a solution effective for protecting cardholder data and the cardholder data environment in order to provide the most value to their customers. That’s why I think the new integrator and reseller certification and training for 2012 is a welcome addition to the Council’s comprehensive training offerings.”

“This program comes as a direct result of industry feedback and stakeholder requests for greater quality assurance and accountability around the secure installation of payment software,” said Bob Russo, general manager, PCI Security Standards Council. “Not only will it help integrators and resellers better understand how to address some of the basic security flaws we’re seeing that can be easily avoided, but it will also make it easier for merchants to have confidence in the services being provided to them. Retailers and franchise operators alike will have a go-to resource they can trust for making sure their applications and systems are being installed and maintained properly.”

Reproduced from the PCI SSC Press Release.

.

PCI Security Standards Council pushing for feedback as window starts to close

The Payments Security Council (PCI) Security Standards Council (PCI SSC) called upon its global constituents to submit feedback for development of the next version of the PCI Data Security Standard (DSS) and PA-DSS.

As part of the three-year life-cycle for standards development, the official feedback period, which opened in November 2011, will be closing on April 15, 2012.

To make it even easier to submit feedback, the process has been streamlined and simplified, with a readily accessible tool that can be accessed online at https://programs.pcissc.org/

“Feedback is the lifeblood of the standards development process,” said Bob Russo, general manager of the Council

“We’ve had great participation so far, but we want to ensure that the standards continue to be the most effective set of best practices against payment data breaches. We can only evolve these best practices through the experience and feedback of our stakeholders.”

.

PCI Security Standards Council invites industry input during next phase of standards development

 The PCI Security Standards Council has launched its formal feedback period on version 2.0 of the PCI DSS and PA-DSS, inviting Participating Organizations and assessors (QSAs) to provide suggestions and commentary on the development of the next PCI Standards.

The PCI Council works on a three-year lifecycle to update the PCI Standards. Feedback from Participating Organizations representing merchants, banks, processors, vendors, security assessors and those across the payment chain is the foundational element of this process. The feedback period takes place a full year after the new versions of the DSS and PA-DSS were released, giving organizations the opportunity to provide input based on their experiences in implementing the standards. As of December 31, 2011, version 1.2.1of the PCI DSS and PA-DSS is retired and all validation efforts for compliance must follow version 2.0.

Beginning today, PCI stakeholders can submit input through a new online tool that automates and makes feedback easier to supply. All feedback will be reviewed by the Council and included in discussion for the next iteration of the PCI Standards.

In the Council’s last feedback cycle, hundreds of comments were received, with more than 50 percent coming from outside the U.S.

 “With the Council’s Participating Organization base having grown substantially in Europe over the last year, and particularly with increased global representation on our Board of Advisors, we’re really looking forward to receiving input from our stakeholders around the world,” said Jeremy King, European Director, PCI Security Standards Council. “In a changing payments environment, it’s this input that will help us maintain a global standard that ensures the protection of cardholder data remains paramount.”

Feedback submissions will be grouped into three categories – Clarifications, Additional Guidance and Evolving Requirements – and shared for discussion with Participating Organizations and the assessment community at the 2012 PCI Community Meetings.

“Our community is made up of experts from across the payments chain, around the world and from organizations of every size, each dealing with different aspects of the PCI process,” said Bob Russo, general manager, PCI Security Standards Council. “We rely on their feedback and unique experiences to help us continually improve these standards for the protection of cardholder data.”

The online feedback tool can be accessed at online here.

.

PCI SSC updates PTS program for Encryption and Mobile

The PCI Security Standards Council have provided and update to the PIN Transaction Security Program for secure point-to-point encryption (P2PE) and mobile payment acceptance.

PTS 3.1 adds two new approval classes that facilitate the deployment of P2PE technology in payment card security efforts, building on the Secure Reading and Exchange of Data (SRED) module previously introduced in version 3.0 to support the secure encryption of account data at the point of interaction. Until now, the PIN Transaction Security program has applied to PIN acceptance devices only. With the release of version 3.1, requirements will expand for the first time to include protection of account data on devices that do not accept PIN, meaning any card acceptance device can now be PTS tested and approved and eligible to deploy point-to-point encryption technology.

Additionally, the requirements have been updated to address secure (encrypting) card readers (SCR), further facilitating the deployment of P2PE technology and the use of open platforms, such as mobile phones, to accept payments. Merchants looking to use magnetic stripe readers (MSRs) or MSR plug-ins now can ensure these devices have been tested and approved to encrypt data on the reader before it reaches the device.

The Council published a roadmap outlining its approach to point-to-point encryption technology in the cardholder data environment late last year and recently released the PCI Point-to-Point Encryption Requirements, the first set of validation requirements in its P2PE program. Findings from its initial examination of mobile payment acceptance applications in light of the PA-DSS were published in June, and in collaboration with industry experts in an SSC-led Mobile Taskforce, the Council aims to deliver further guidance by year’s end.

“We know how eager the market is to implement P2PE, said Bob Russo, general manager, PCI Security Standards Council.― By releasing these updated requirements now, merchants using any type of card acceptance device will have the ability to encrypt data at the point of interaction and ensure its protection. Additionally, we・ve opened the standard up to address mobile devices ・ another area of great interest to our stakeholders.”

The updated PTS Security program requirements and detailed listing of approved devices are available on the Council’s website.

There will be a session devoted to PTS program updates, including a dedicated question and answer forum, at the PCI Community Meeting taking place in London, England on October 17-19.

Additionally, the Council will host a Webinar for Participating Organizations and the public outlining the newest updates to the PIN Transaction Security program, followed by a live Q&A session.

To register for the November 8 session, please visit here.

To register for the November 10 session, please visit here.

For more details on PCI visit the PCI Resources page here.

.

Good news for Merchants as the PCI Security Standards Council releases Tokenization guidance

Information Security Wordle: PCI Data Security...
Image by purpleslog via Flickr

On August the 12th The Payment Card Industry Security Standards Council (PCI SSC) published guidelines to help Merchants and credit card processors take advantage of “Tokenization“.

The PCI SSC definition of Tokenization:  “Tokenization technology replaces a Primary Account Number (PAN) with a surrogate value called a “token”. Specific to PCI DSS, this involves substituting sensitive PAN values with non-sensitive token values, meaning a properly implemented Tokenization solution can reduce or remove the need for a merchant to retain PAN in their environment once the initial transaction has been processed.

Merchants are ultimately responsible for the proper implementation of any Tokenization solution they use, including its deployment and operation, and validation of its Tokenization environment as part of their annual Payment Card Industry Data Security Standard (PCI DSS) compliance assessment.

Organizations should carefully evaluate any solution before implementation to fully understand the potential impact to their CDE (Cardholder Data Environment). The paper helps guide merchants through this process by:

  • Outlining explicit scoping elements for consideration
  • Providing recommendations on scope reduction, the tokenization process itself, deployment and operation factors
  • Detailing best practices for selecting a tokenization solution Defining the domains, or areas that specific controls need to be applied and validated, where tokenization could potentially minimize the card data environment

This additional guidance also benefits tokenization service providers and assessors by informing them on how the technology can help their merchant customers limit or eliminate system components that process, store, or transmit Cardholder data, and reduce the scope of the CDE and thus the scope of a PCI DSS assessment.

“We’ve continued the process to investigate these technologies and ways that the community can use them to potentially increase the security of their PCI DSS efforts” said Bob Russo, general manager of the PCI Security Standards Council. “These specific guidelines provide a starting point for merchants when considering tokenization implementations. The Council will continue to evaluate tokenization and other technologies to determine the need for further guidance and/or requirements.”

Jeremy King, European director of the PCI SSC, said the process is challenging because not all cards have a 16-digit primary account number (PAN). Some Tokenization methods are more applicable than others according to the card in question. Some tokens try to preserve the format of the original PAN in order to maintain compatibility with internal processing applications, while other approaches may generate a new truncated or randomised number, King said.

Systems that allow you to get back to the PAN need to be properly protected, and are in scope,” King said.

Tokenisation can have a dramatic reduction on the requirements of PCI DSS. In simple terms if a Merchant has no credit card data stored the scope of PCI DSS is reduced.

For the majority of Merchants reducing the scope of PCI DSS by not storing Credit Card Data can mean the difference between a relatively simple Self Assessment Questionnaire (SAQ) e.g. SAQ A and the highly complex and extremely difficult SAQ D.

The PCI SSC Tokenization Information Supplement can be downloaded here.

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: