Eight Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Data
Merchants are constantly seeking ways to simplify and reduce the scope of the Payment Card Industry’s Data Security Standard (PCI DSS) compliance by shrinking the footprint where cardholder data is located throughout their organization.
By reducing the scope, these Merchants can dramatically lower the cost and anxiety of PCI DSS compliance and significantly increase the chance of compliance be that an audit or a Self Assessment Questionnaire (SAQ).
The White Paper “Eight Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Data” explores the use of tokenization as a best practice in improving the security of credit card transactions, while at the same time minimising the cost and complexity of PCI DSS compliance by reducing audit scope.
The 8 Ways are
Centralized data vault
Tokens as data surrogates
Tokens as surrogates for masked data
No mathematical relationship between tokens and data values
One-to-one or one-to-many token/data relationships
As we enter the busiest period of credit card spending it is probably a good time for a bit of last minute house keeping to ensure your business is meeting the Payment Card Industry Data Security Standard (PCI DSS), or as much of it as you can.
First things first, DO NOT STORE CREDIT CARDS unless you really really have to.
If you know you are un-necessarily storing credit cards, delete them and delete them with a deletion tool so there is no way they can come back to haunt you.
If you have to retain credit card data make sure they are encrypted and never ever store the CVV/CV2/etc. As a short term fix, to get you through the next couple of weeks encrypt hard drives and put in a plan to have effective credit card encryption and tokenization in place for early 2012. For a better understanding of how tokenization can help you reduce the risks and the scope of PCI DSS download a white paper called “Eight Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Data” here.
Check to see if there are cards being stored that you do not know about. In a recent survey SecurityMetrics found an “8 Percent Increase of Unencrypted Cards”, read the press release here. There are some excellent scanning tools that will scan your network and devices for the existence of credit cards so you can then decide to delete or secure.
You now need to revisit the Payment Card Industry Data Security Standard’s Version 2 to ensure you are meeting as much of the standard as possible. The best place to start is with the PCI DSS Prioritized Approach (find it here). The Prioritized Approach will ensure the efforts you make are directed towards the most important areas with the quickest wins.
The Prioritized approach consists of 6 key milestone and Merchants are advised to start with number 1.
Milestone 1 Remove Sensitive Authentication Data and limit data retention
Milestone 2 Protect the perimeter, internal, and wireless networks
Milestone 3 Secure payment card applications (e.g. PA DSS approved)
Milestone 4 Monitor and control access to your systems
Milestone 5 Protect stored cardholder data
Milestone 6 Finalize remaining compliance efforts, and ensure all controls are in place
Another reason to revisit your PCI DSS posture are revealed in Verizon‘s 2011 Global report which reports that many organisations lose sight of compliance after their initial compliance activity. Some specific findings from the report are below:-
21 % of organizations were fully compliant at the time of their Initial Report on Compliance (IROC)
78% of organisations met all test procedures at the IROC stages
20% of organizations passed less than half of the PCI DSS requirements
The PCI Security Standards Council (PCI SSC) has announced that the Council is expanding the PTS standards to encompass the PCI PIN Security Requirements, formerly administered by Visa and MasterCard, to provide organizations with one set of criteria for the protection of PIN data.
After officially taking over management of the requirements earlier this year, the PCI SSC solicited feedback from the PCI community to make updates to the standard. Today’s release contains a complete set of reqirements for the secure management, processing and transmission of personal identification number (PIN) data at ATMs, and attended and unattended point-of-sale (POS) terminals. The PIN Security Requirements will be included in current PTS security requirements.
The updated PTS program requirements and detailed listing of approved devices are available on the Council’s website here.
“Point of sale continues to be a security hotspot as criminals are using more advanced techniques to steal PIN and cardholder data,” said Bob Russo, general manager of the PCI Security Standards Council. The requirements are specifically geared toward protecting not just the devices that accept PINs but also the people and processes surrounding them.”
The PCI PIN Security Requirements provide one set of criteria for protection of Primary Identification Number (PIN) data. For merchants – examples of common vulnerabilities for PIN theft that the requirements address include:
PINs that are not protected by a secure PIN block
Failure to use approved cryptographic devices for PIN processing
Cryptographic keys that are non-random, not unique, and never change
Few, if any documented PIN-protection procedures
Audit trails or logs that are not maintained
“With this addition to the PTS requirements, we hope to strengthen POS security at merchants around the globe,” noted Russo.
The Council will also host a Webinar for Participating Organizations and the public outlining the newest updates to the PIN Transaction Security program, including the PIN Security Requirements, followed by a live Q&A session.
The PCI Security Standards Council has launched its formal feedback period on version 2.0 of the PCI DSS and PA-DSS, inviting Participating Organizations and assessors (QSAs) to provide suggestions and commentary on the development of the next PCI Standards.
The PCI Council works on a three-year lifecycle to update the PCI Standards. Feedback from Participating Organizations representing merchants, banks, processors, vendors, security assessors and those across the payment chain is the foundational element of this process. The feedback period takes place a full year after the new versions of the DSS and PA-DSS were released, giving organizations the opportunity to provide input based on their experiences in implementing the standards. As of December 31, 2011, version 1.2.1of the PCI DSS and PA-DSS is retired and all validation efforts for compliance must follow version 2.0.
Beginning today, PCI stakeholders can submit input through a new online tool that automates and makes feedback easier to supply. All feedback will be reviewed by the Council and included in discussion for the next iteration of the PCI Standards.
In the Council’s last feedback cycle, hundreds of comments were received, with more than 50 percent coming from outside the U.S.
“With the Council’s Participating Organization base having grown substantially in Europe over the last year, and particularly with increased global representation on our Board of Advisors, we’re really looking forward to receiving input from our stakeholders around the world,” said Jeremy King, European Director, PCI Security Standards Council. “In a changing payments environment, it’s this input that will help us maintain a global standard that ensures the protection of cardholder data remains paramount.”
Feedback submissions will be grouped into three categories – Clarifications, Additional Guidance and Evolving Requirements – and shared for discussion with Participating Organizations and the assessment community at the 2012 PCI Community Meetings.
“Our community is made up of experts from across the payments chain, around the world and from organizations of every size, each dealing with different aspects of the PCI process,” said Bob Russo, general manager, PCI Security Standards Council. “We rely on their feedback and unique experiences to help us continually improve these standards for the protection of cardholder data.”
The online feedback tool can be accessed at online here.
The PCI Security Standards Council have provided and update to the PIN Transaction Security Program for secure point-to-point encryption (P2PE) and mobile payment acceptance.
PTS 3.1 adds two new approval classes that facilitate the deployment of P2PE technology in payment card security efforts, building on the Secure Reading and Exchange of Data (SRED) module previously introduced in version 3.0 to support the secure encryption of account data at the point of interaction. Until now, the PIN Transaction Security program has applied to PIN acceptance devices only. With the release of version 3.1, requirements will expand for the first time to include protection of account data on devices that do not accept PIN, meaning any card acceptance device can now be PTS tested and approved and eligible to deploy point-to-point encryption technology.
Additionally, the requirements have been updated to address secure (encrypting) card readers (SCR), further facilitating the deployment of P2PE technology and the use of open platforms, such as mobile phones, to accept payments. Merchants looking to use magnetic stripe readers (MSRs) or MSR plug-ins now can ensure these devices have been tested and approved to encrypt data on the reader before it reaches the device.
The Council published a roadmap outlining its approach to point-to-point encryption technology in the cardholder data environment late last year and recently released the PCI Point-to-Point Encryption Requirements, the first set of validation requirements in its P2PE program. Findings from its initial examination of mobile payment acceptance applications in light of the PA-DSS were published in June, and in collaboration with industry experts in an SSC-led Mobile Taskforce, the Council aims to deliver further guidance by year’s end.
“We know how eager the market is to implement P2PE, said Bob Russo, general manager, PCI Security Standards Council.― By releasing these updated requirements now, merchants using any type of card acceptance device will have the ability to encrypt data at the point of interaction and ensure its protection. Additionally, we・ve opened the standard up to address mobile devices ・ another area of great interest to our stakeholders.”
The updated PTS Security program requirements and detailed listing of approved devices are available on the Council’s website.
There will be a session devoted to PTS program updates, including a dedicated question and answer forum, at the PCI Community Meeting taking place in London, England on October 17-19.
Additionally, the Council will host a Webinar for Participating Organizations and the public outlining the newest updates to the PIN Transaction Security program, followed by a live Q&A session.
To register for the November 8 session, please visit here.
To register for the November 10 session, please visit here.
For more details on PCI visit the PCI Resources page here.
New requirements focus on hardware-based solutions and support optional scope reduction efforts in a secure, PCI DSS compliant environment
The PCI Security Standards Council (PCI SSC), a global, open industry standards body providing management of the Payment Card Industry Data Security Standard (PCI DSS), PIN Transaction Security (PTS) requirements and the Payment Application Data Security Standard (PA-DSS), today announced availability of the first set of validation requirements of its point-to-point encryption program. The PCI Point-to-Point Encryption Solution Requirements document provides requirements for vendors, assessors and merchants, that wish to build and implement hardware- based point-to-point encryption solutions that support PCI DSS compliance and offer scope reduction for merchants. Hardware-based P2PE solutions utilize secure cryptographic devices for both encryption and decryption including at the point of merchant acceptance for encryption and within Hardware Security Modules (HSMs) for decryption.
The PCI Security Standards Council recognizes the potential for new technologies to reduce scope for PCI DSS assessments and provide new ways of securely handling cardholder data. This new document for vendors, assessors and solution providers that play a role in developing, implementing or assessing products, defines requirements for applicable point-to-point encryption (P2PE) solutions, with the goal of reducing the scope of the PCI DSS assessment for merchants using such solutions. Merchants themselves will also find the document a useful resource for understanding more about P2PE and PCI DSS scope. The new requirements do not supersede the PCI Data Security Standard, nor is a merchant mandated to use P2PE technology.
However, merchants interested in this technology are encouraged to consult with the Council’s listing of validated P2PE solutions, targeted for spring 2012, to choose a secure solution that will support compliance with PCI Standards. The new requirements document includes information on:
Roles and responsibilities in validating, implementing and assessing hardware based P2PE solutions
Six critical domains of hardware-based P2PE that cover; the encryption device and environment, application security, transmission, decryption and key management.
Steps required to create and validate a P2PE solution
Visual representations of a typical implementation
Interrelation between P2PE validation requirements and other PCI Standards such as PTS Point of Interaction (POI), PCI PIN, PA-DSS and PCI DSS
The hardware-based requirements incorporate many requirements and principles covering both physical and logical security that will be familiar to users of other PCI Standards. Requirements focus on securing systems and devices, implementing monitoring and response processes, developing and maintaining secure applications, protecting sensitive data, and using secure cryptographic key management methodologies.
“This is a solid first step in recognizing one popular type of deployment of P2PE solutions,” said Bob Russo, general manager, PCI Security Standards Council. “These P2PE requirements will help vendors, assessors, and merchants that are choosing to use hardware-based versions technology, to build, assess and implement P2PE solutions securely. If implemented in accordance with PCI requirements, P2PE solutions can significantly reduce a merchant’s card data environment, mitigate potential breaches and simplify PCI DSS validation efforts.”
Following the release of this first document the Council will introduce the associated testing procedures before the end of 2011. In addition, the Council will detail training opportunities for assessors and provide a listing of validated solutions on the PCI SSC website in spring 2012. As recently outlined in our program update, additional phases of the point-to-point encryption program this year will focus on requirements for solutions
that combine hardware based encryption and decryption through secure cryptographic devices, with software that may manage transaction-level cryptographic keys for decryption. The Council will also continue to explore the development of requirements for pure software solutions that encrypt cardholder data at the point of merchant acceptance, and/or decrypt cardholder data at a host system. Pure software solutions may use software to conduct encryption and decryption, performing cryptographic key management of both the master and transaction keys.
In advance of annual PCI Community Meeting, Council celebrates more than 100 European companies as key contributors to the ongoing development of the PCI Standards.
The PCI Security Standards Council (PCI SSC), a global, open industry standards body providing management of the Payment Card Industry Data Security Standard (PCI DSS), PIN Transaction Security (PTS) requirements and the Payment Application Data Security Standard (PA-DSS), today announced a milestone in ongoing momentum and global participation – more than 100 European companies are now PCI Participating Organizations, promising a strong showing for this year’s PCI European Community Meeting on October 17-19, 2011, in London, England.
The Council is made up of more than 600 global Participating Organizations (POs) worldwide. Continual global involvement not only benefits stakeholder organizations but also the larger payment security community, by ensuring the diverse and unique industry and geographic perspectives of those across the payment chain are represented in the work of the Council.
European participation – including merchants, financial institutions and processors from around the continent – has been a key factor in the Council’s analysis and guidance on technologies in the payment environment, such as call center recording technologies and EMV, as well as the development of critical resources like the Prioritized Approach framework.
This year, Participating Organizations also elected a new Board of Advisors, with 7 of the 21 seats being represented by European companies, a testimony to the growing European involvement in the Council and the work and collaboration that is taking place in Europe to drive payment security forward.
”As a member of the Council since 2007, we are pleased to see the growing awareness around payment security in the UK and European regions over the last few years,” said PCI SSC Board of Advisors member Philip Morton, information security compliance manager, British Airways. “We are excited to bring our geographic and industry perspectives to the Council in serving on the Board this term and working with the PCI community to continue to drive increased protection of cardholder data in Europe and globally.”
Twenty-five percent of the growth among European POs has occurred in the last year, since the Council brought on European Director Jeremy King to concentrate PCI efforts in the region. This number has more than tripled since the first year of the Council’s existence.
“Counter to those who suggested that the issue of PCI Standards and global card security were U.S. centric initiatives, our ongoing growth in participation in Europe illustrates the increase in awareness, focus and feedback we are achieving globally,” said Jeremy King, European director, PCI Security Standards Council. “I am very excited about the growing number of European-based organizations who will join us at this year’s European Community Meeting. As we kick off our feedback period for the PCI Standards, I look forward to engaging this core group of stakeholders in our global standards lifecycle process. Together, these organizations will help influence the Council’s agenda and the direction and evolution of the PCI Standards in the coming years.”