Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

PCI Security Standards Council

PCI Council collaborates with industry to speed secure chip card acceptance for merchants

The PCI Security Standards Council has announced that it will join with the Payments Security Taskforce and EMV Migration Forum to launch the U.S. EMV VAR Qualification Program, a chip education curriculum and accreditation initiative that will help merchants and their partners securely implement chip card solutions.

The U.S. EMV VAR Qualification Program aims to streamline and simplify the testing and certification process for Value Added Resellers (VARs) and Independent Software Vendors (ISVs) to help them help securely implement chip card solutions for their merchant customers in advance of the 2015 liability milestone.

The optional program consists of three central elements:

  1. An educational curriculum from the EMV Migration Forum that provides a clear understanding of chip technology for payment cards in the U.S. market
  2. A listing on the PCI Security Standards Council website of all service providers independently accredited by the major payment networks to provide chip recommendations and implementation
  3. A pre-qualification process run by the accredited service providers to help VARs and ISVs begin the implementation process before they work with acquirers for final certification

We heard from the acquirer community that there was a limitation on the time and resources available to help the VAR community best prepare for the broad adoption of chip,” said PCI SSC Chairperson Bruce Rutherford. “This coordinated effort across all industry players will help eliminate the bottleneck and speed the certification of smaller merchants’ chip card acceptance efforts.

Added PCI SSC General Manager Stephen W. Orfei, “We’re pleased to partner with the Payment Security Taskforce and the EMV Migration Forum in this important initiative to drive adoption of EMV chip technology in the U.S., a critical security layer that when combined with PCI Standards as a layered approach will help organizations better protect their customers’ valuable payment card data

The coordinated effort will begin with the launch of educational resources for the VAR and ISV communities to establish an understanding of chip technology, including targeted webinars and self-service web portals on how to build a business case for chip, an overview of a chip card transaction and how to navigate the testing and certification process.

Each VAR will then have the ability to pre-qualify its payment solution for each of the major payment networks with an accredited service provider based on its knowledge of chip technology, and work with its acquirer to receive a final certification of the solutions a merchant would need to use to process a chip card transaction.

Details of the education programme can be found here.

Details of the pre-qualification process can be found here.

PCI Security Standards Council announces new board of advisors

The PCI Security Standards Council (PCI SSC), announced election results for the 2013-2015 PCI SSC Board of Advisors.

The Board will represent the PCI community by providing counsel to SSC leadership.

The Council’s more than 690 Participating Organizations selected individuals from the following organizations to represent their industry’s unique perspectives in the development of PCI Standards and other payment security initiatives:

  • Bank of America N.A.
  • Bankalararasi Kart Merkezi
  • Barclaycard
  • British Airways PLC
  • Carlson
  • Cartes Bancaires Cielo S.A.
  • Cisco
  • Citigroup Inc.
  • European Payment Council AISBL
  • FedEx
  • First Bank of Nigeria
  • First Data Merchant Services
  • Global Payments Inc.
  • Ingenico
  • Micros
  • Middle East Payment Systems
  • PayPal Inc.
  • Retail Solutions Providers Association
  • RSA, The Security Division of EMC
  • Starbucks Coffee Company
  • VeriFone Inc.
  • Wal-Mart Stores, Inc
  • Woolworths Limited

Board of Advisor members provide strategic and technical input to PCI SSC on specific areas of Council focus. Past board members have provided reach into key industry verticals and geographies to help raise awareness and adoption of PCI Standards; have shared their experience with implementing PCI Standards in presentations at the annual Community Meetings; and have contributed guidance on training product development and led Special Interest Groups (SIGs).

Active involvement from our Participating Organization base is critical to ensuring the PCI Standards remain at the front line for protection against threats to payment card data. Once again I am impressed by the turn out in the election process. It’s particularly encouraging to see new markets looking towards open global standards like the PCI Standards to help secure payment card data worldwide,” said Bob Russo, general manager, PCI Security Standards Council.

The Council and wider stakeholder community will benefit from the breadth of experiences and perspectives that this new board represents.” The board will support the Council’s mission to raise awareness and drive adoption of PCI Standards worldwide and will kick off its work in June with its first face-to-face meeting with Council management. “This year saw more European involvement than ever in the Board of Advisors election process. Although Europe contains mature EMV markets, this level of involvement in the PCI SSC confirms that the combination of PCI Standards and EMV chip is a powerful force for protecting payment card data,” said Jeremy King, European director, PCI Security Standards Council. “Our new board is a truly global group, and the Council will benefit greatly from its input as we continue to drive awareness and adoption of PCI Standards worldwide.

.

PCI Security Standards Council publishes card production security requirements

The PCI Security Standards Council (PCI SSC), has announced the publication of a standard for secure payment card production.

The standard consists of two sets of requirements:

  1. PCI Card Production Physical Security Requirements
  2. PCI Card Production Logical Security Requirements

Together, these documents provide card vendors with a comprehensive source of information describing the security requirements to follow for card production activities including card manufacture, chip embedding, magnet-stripe encoding, embossing, card personalization, chip initialization, chip personalization.

Formerly managed as separate requirements by each payment card brand, the Council aligned these requirements and solicited feedback from the PCI community to produce one set of criteria recognized across the industry. The resulting standard is designed to secure the components and sensitive data involved in the production of payment cards and protect against the fraudulent use of card materials.

It’s broken down into two core areas:

  1. Physical security requirements – for all card vendors, these requirements address the presence, movement, and accountability of a card, including tangible features such as the security of the premises, personnel access to secure areas, and CCTV surveillance.
  2. Logical security requirements – for card personalization vendors, these requirements address threats to the confidentiality of personalization data during data transfer, access, storage, and destruction; and all aspects associated with cryptographic key management, including the protection of issuer keys used in the personalization process.

The security requirements are available for immediate download here. Vendors should work with the individual card brands to confirm timing for when future security reviews must be performed against the new PCI Card Production Security Requirements.

In line with other PCI Standards, the requirements will be updated on a three-year lifecycle, based on feedback from the PCI community.

There are a lot of pieces involved in securely producing payment cards, from design all the way through delivery,” said Bob Russo, general manager, PCI Security Standards Council. “The publication of these requirements gives card vendors one set of criteria to follow, and as we’ve seen with our other standards, will help drive improved security across the payments chain

PCI SSC releases PCI DSS Cloud Computing Guidelines

The PCI Security Standards Council has published the PCI DSS Cloud Computing Guidelines Information Supplement, a product of the Cloud Special Interest Group (SIG).

The guide is an excellent introduction to the “cloud” and offers specific and helpful guidance on what to consider when processing payments involving the cloud as well as the storage of sensitive data.

One of cloud computing’s biggest strengths is its shared-responsibility model. However, this shared model can magnify the difficulties of architecting a secure computing environment,” said Chris Brenton, a PCI Cloud SIG contributor and director of security for CloudPassage. “One of this supplement’s greatest achievements is that it clearly defines the security responsibilities of the cloud provider and the cloud customer. With PCI DSS as the foundation, this guidance provides an excellent roadmap to crafting a secure posture in both private and public cloud. 

The PCI DSS Cloud Computing Guidelines Information Supplement builds on the work of the 2011 Virtualization SIG, while leveraging other industry standards to provide guidance around the following primary areas and objectives:

  • Cloud Overview – provides explanation of common deployment and service models for cloud environments, including how implementations may vary within the different types.
  • Cloud Provider/Cloud Customer Relationships– outlines different roles and responsibilities across the different cloud models and guidance on how to determine and document these responsibilities.
  • PCI DSS Considerations – provides guidance and examples to help determine responsibilities for individual PCI DSS requirements, and includes segmentation and scoping considerations.
  • PCI DSS Compliance Challenges– describes some of the challenges associated with validating PCI DSS compliance in a cloud environment.

The document also includes a number of appendices to address specific PCI DSS requirements and implementation scenarios, including: additional considerations to help determine PCI DSS responsibilities across different cloud service models; sample system inventory for cloud computing environments; sample matrix for documenting how PCI DSS responsibilities are assigned between cloud provider and client; and a starting set of questions that can help in determining how PCI DSS requirements can be met in a particular cloud environment.

Merchants who use or are considering use of cloud technologies in their cardholder data environment and any third-party service providers that provide cloud services or cloud products for merchants can benefit from this guidance. This document may also be of value for assessors reviewing cloud environments as part of a PCI DSS assessment.

At the Council, we always talk about payment security as a shared responsibility. And cloud is by nature shared, which means that it’s increasingly important for all parties involved to understand their responsibility when it comes to protecting this data,” said Bob Russo, general manager, PCI Security Standards Council. “It’s great to see this guidance come to fruition, and we’re excited to get it into the hands of merchants and other organizations looking to take advantage of cloud technology in a secure manner.

For a link to the full document please use my PCI Resources page here.

.

PCI SSC’s insights on mobile, encryption and payment security following the North American community meeting

After the sixth annual North American Community Meeting in Orlando, Florida which was attended by over 1,000 stakeholders representing 460 organizations from 17 countries to discuss the PCI SSC summaries the key discussion topics as: –

  • Feedback on the standards in preparation for the release of the next version of the PCI DSS and PA-DSS in 2013
  • New guidance on secure mobile payment acceptance application development
  • Updates to the Council’s Point-to-Point Encryption (P2PE) program
  • Newly released guidelines for ATM security
  • The Council’s new training programs and professional qualifications
  • Updates from PCI Special Interest Groups on cloud, eCommerce and risk assessment

“The Community Meetings play an important part in bringing together PCI stakeholders to discuss the latest payment card security efforts, and we’re encouraged to see the continued growth of interest and participation in this initiative,” said Bob Russo, general manager, PCI Security Standards Council. “Gaining the feedback from our Participating Organizations is absolutely vital for us to develop new guidance on key topics such as mobile payment acceptance and ATM security, as well as in the on-going improvement of the PCI Standards. The input and discussion at this year’s meetings are especially important as we look to introduce the next version of the PCI Standards in 2013.”

“It is important for us to meet face-to-face with our stakeholders, not only to update them on the most recent developments, but also to have one-on-one interactions and personal conversations on the issues that matter most to them,” said Jeremy King, European director, PCI Security Standards Council. “We look forward to seeing more of our global counterparts in Dublin for the European Community Meeting on October 22-24, 2012.”

See you in Dublin next month.

PCI Security Standards Council announces qualified integrators and resellers certification program

The PCI SSC quotes results from the Trustwave 2012 Global Security Report which states that 76% of the breaches they investigated were a result of security vulnerabilities introduced by a third party responsible for system support, development and/or maintenance of business environments.

Errors introduced during implementation, configuration and support of PA-DSS validated payment applications by third parties into merchant environments was identified as a significant risk to the security of cardholder data. Specifically, small businesses in the food and beverage industry that rely heavily on outsourcing are particularly vulnerable, as they made up the bulk of the compromises.

To help address this security challenge, merchants, acquirers, payment software vendors and card brands participated in a Council taskforce to evaluate market needs and make recommendations on how to address them. This included development of more guidance and best practices for integrators and resellers and a global list of PCI Council certified integrators and resellers.

The Qualified Integrators & Resellers (QIR) program will provide integrators and resellers that sell, install and/or service payment applications on behalf of software vendors or others the opportunity to receive specialized training and certification on the secure installation and maintenance of validated payment applications into merchant environments in a manner that supports PCI DSS compliance. The PCI SSC will maintain a global list of QIRs, ensuring merchants a trusted resource for selecting PCI approved partners. The PCI SSC will be offering training online in late summer 2012, and the validated list for merchants will be published on the PCI SSC website shortly thereafter. More details on the program, including eligibility requirements and training course information and costs will be made available soon. In the meantime, those interested in participating in the program can click here or email questions to qir@pcisecuritystandards.org.

“Product solutions that are a good fit for a PCI compliant organization need to be installed, configured, and managed properly to support PCI DSS,” said Diana Kelley, principal analyst at security IT research firm SecurityCurve. “Integrators and resellers need to understand what makes a solution effective for protecting cardholder data and the cardholder data environment in order to provide the most value to their customers. That’s why I think the new integrator and reseller certification and training for 2012 is a welcome addition to the Council’s comprehensive training offerings.”

“This program comes as a direct result of industry feedback and stakeholder requests for greater quality assurance and accountability around the secure installation of payment software,” said Bob Russo, general manager, PCI Security Standards Council. “Not only will it help integrators and resellers better understand how to address some of the basic security flaws we’re seeing that can be easily avoided, but it will also make it easier for merchants to have confidence in the services being provided to them. Retailers and franchise operators alike will have a go-to resource they can trust for making sure their applications and systems are being installed and maintained properly.”

Reproduced from the PCI SSC Press Release.

.

The PCI SSC has opened its registration for the 2012 PCI Community Meetings

PCI North American Community Meeting will be held on September 12-14, 2012 in Orlando, Florida

PCI European Community Meeting will be held this year in Dublin, Ireland, October 22-24, 2012

This year’s meetings offer Council Participating Organizations and PCI stakeholders access to three days of knowledge sharing, networking and learning, including keynote presentations from industry experts, PCI case studies, and technical sessions.

“2012 is a critical year in the standards development process that hinges on feedback from the PCI community. At this year’s meeting, we’ll focus on discussing stakeholder feedback on the standards in preparation for release of the next versions of the PCI DSS and PA-DSS in 2013, as well as share our successes and challenges, ideas and suggestions as a community,” said Bob Russo, general manager, PCI Security Standards Council. “We’ll discuss Council initiatives, including the Point-to-Point Encryption (P2PE) program, mobile payment acceptance security and other technology areas, as well as the work being done through our Special Interest Groups. Attendees will also have the opportunity to take advantage of our PCI SSC Training offerings.”

New to this year’s agenda, the Community Meetings will also feature:

  • Increased networking opportunitie
  • Targeted breakout sessions for different stakeholder groups
  • More industry case studies delivered by members of the PCI community
  • Expanded opportunities to meet with card brands
  • Two-day vendor showcase
  • Event mobile app to help make the most of attendees’ time

Special sessions for Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs) will be held at the meetings.

Several training courses will also be available. These offerings provide participants the opportunity to combine the value of peer to peer education at the Community Meeting with more formal training sessions, maximizing their time in Orlando and Dublin.

“The record attendance at last year’s meeting is a strong testament to the work that together we as a community are doing to drive payment security forward globally, but especially within Europe,” said Jeremy King, European Regional Director. “I’m thrilled about the growing involvement of the PCI community in Europe and look forward to coming together in Dublin to continue this momentum.”

Attendance fees:

  • Participating Organization: First two registrants are free; $395 for additional registrants
  • Qualified Security Assessor (QSA)/Approved Scanning Vendor (ASV)/Internal Security Assessor (ISA)/PIN Transaction Security (PTS) members: First registrant is free; $695 for additional registrants

For more information, or to register

See you in Dublin.

.

PCI Security Standards Council pushing for feedback as window starts to close

The Payments Security Council (PCI) Security Standards Council (PCI SSC) called upon its global constituents to submit feedback for development of the next version of the PCI Data Security Standard (DSS) and PA-DSS.

As part of the three-year life-cycle for standards development, the official feedback period, which opened in November 2011, will be closing on April 15, 2012.

To make it even easier to submit feedback, the process has been streamlined and simplified, with a readily accessible tool that can be accessed online at https://programs.pcissc.org/

“Feedback is the lifeblood of the standards development process,” said Bob Russo, general manager of the Council

“We’ve had great participation so far, but we want to ensure that the standards continue to be the most effective set of best practices against payment data breaches. We can only evolve these best practices through the experience and feedback of our stakeholders.”

.

PCI Security Standards Council continues focus on mobile payment acceptance security

The PCI Security Standards Council (PCI SSC) is participating in a Congressional hearing titled “The Future of Money: How Mobile Payments Could Change Financial Services,” held by the Subcommittee on Financial Institutions and Consumer Credit.

Representatives include the:

  • Atlanta Federal Reserve
  • MasterCard
  • Smart Card Alliance
  • The Consumer Union

The PCI Security Standards Council Chief Technology Officer Troy Leach served as an expert panelist, providing insight into security considerations when it comes to payment acceptance using mobile technology, as well as the Council’s work to date and future plans in this area.

The hearing is the first in a series of three designed to examine the technology:

  • by which mobile transactions are conducted
  • identify potential security problems
  • regulatory barriers that consumers, merchants, and financial institutions might face when using mobile payment services
  • consider whether statutory changes are necessary as mobile payment systems become more widely available and are increasingly used.

Participation in the hearing comes as part of the Council’s and its stakeholders’ focused efforts in the area of mobile acceptance security.

The area of mobile payments includes two different environments for the use of mobile devices:

  1. merchant acceptance applications, phones, tablets and other mobile devices are used by merchants as point-of-sale terminals in place of traditional hardware terminals
  2. consumer facing applications where the phone is used in place of a traditional payment card by a consumer to initiate payment

The Council’s security efforts to date in this area have been concentrated on the first environment, securing the use of mobile devices as a point of sale acceptance tool.

 “Mobile technology offers exciting potential to the payments space,”

said Troy Leach, chief technology officer, PCI Security Standards Council.

 “To help realize this securely, the Council is working with its global stakeholders to develop the industry standards and resources necessary for the protection of cardholder data across all payments channels, and for the reduction of fraud for consumers and businesses globally.”

In 2011, the Council issued guidance on the types of payment applications that can allow organizations to accept and process payments securely using mobile technology, including a checklist resource to help explain simply and succinctly to anyone currently considering mobile acceptance solutions which types of application support PCI Standards.

The Council also identified the types of applications that fall short of security standards for secure mobile acceptance. In collaboration with industry subject matters experts, including software application developers, the Council is continuing to examine this area to determine whether the inherent risk of card data exposure in these applications can be addressed by existing PCI Standards, or whether additional guidance or requirements must be developed.

Compliance by device vendors with these requirements now allows merchants to use plug in devices with mobile phones to swipe cards securely by first encrypting the data at the point that the card is swiped to minimize risk by making it unreadable. The mobile device acts as a conduit and has no ability to decrypt the encrypted data.

In the coming months the Council plans to release specific guidance for merchants on how to effectively use these security requirements in conjunction with encryption technology to more easily and securely accept payments using mobile technology.

Later this year the Council will also produce a best practices document for securing mobile payment transactions.

PCI and mobile payment security will be a topic of discussion at the Council’s Annual Community Meetings scheduled for

  • September 12-14 in Orlando, Florida
  • October 22-24 in Dublin, Ireland – if you are going to Dublin see you there

.

PCI Security Standards Council invites payments community to input on PIN Transaction Security

The  PCI Security Standards Council (PCI SSC), has announced the launch of a 30-day period to solicit feedback from PCI Participating Organizations on the next version of the  PCI Hardware Security Module (HSM) security requirements.

Hardware security modules (HSM) are non-cardholder facing devices used in connection with the protection of sensitive data, such as cardholder data (e.g. PINs), and the cryptographic keys that protect or authenticate that information.  For example, HSMs are used with PIN translation, payment card personalization, data protection and e-commerce. Requirements for testing and approving these devices fall under the PCI PIN Transaction Security (PTS) program that also tests and validates Point of Interaction (POI) devices to ensure they comply with industry standards for securing sensitive data.

The PCI SSC has made a number of modifications to version 1.0 aimed at providing greater alignment between the PCI Hardware Security Module (HSM) security requirements  and those introduced with version 3 of the PTS Point of Interaction (POI) security requirements.

The Council requests input from Participating Organizations on these changes. All feedback will be reviewed and considered in finalizing the revised requirements for publication in the  spring.  Organizations should submit feedback using the online tool here by March 09, 2012.

 “Because the Council is comprised of organizations ranging from merchants to acquirers to processors we have a unique opportunity to create standards based on feedback from across the payments spectrum. We rely heavily on active participation by our members. This industry feedback and expertise is critical to our mission and our business,” said Bob Russo, general manager, PCI Security Standards Council. “I would like to encourage each organization to take the time to provide us with input during this period.”

.

PCI Security Standards Council adds PCI PIN Security requirements to PTS standard

The PCI Security Standards Council (PCI SSC)  has announced that the Council is expanding the PTS standards to encompass the PCI PIN Security Requirements, formerly administered by Visa and MasterCard, to provide organizations with one set of criteria for the protection of PIN data.

After officially taking over management of the requirements earlier this year, the PCI SSC solicited feedback from the PCI community to make updates to the standard. Today’s release contains a complete set of reqirements for the secure management, processing and transmission of personal identification number (PIN) data at ATMs, and attended and unattended point-of-sale (POS) terminals. The PIN Security Requirements will be included in current PTS security requirements.

The updated PTS program requirements and detailed listing of approved devices are available on the Council’s website here.

“Point of sale continues to be a security hotspot as criminals are using more advanced techniques to steal PIN and cardholder data,” said Bob Russo, general manager of the PCI Security Standards Council. The requirements are specifically geared toward protecting not just the devices that accept PINs but also the people and processes surrounding them.”

The PCI PIN Security Requirements provide one set of criteria for protection of Primary Identification Number (PIN) data. For merchants – examples of common vulnerabilities for PIN theft that the requirements address include:

  • PINs that are not protected by a secure PIN block
  • Failure to use approved cryptographic devices for PIN processing
  • Cryptographic keys that are non-random, not unique, and never change
  • Few, if any documented PIN-protection procedures
  • Audit trails or logs that are not maintained

“With this addition to the PTS requirements, we hope to strengthen POS security at merchants around the globe,” noted Russo.

The Council will also host a Webinar for Participating Organizations and the public outlining the newest updates to the PIN Transaction Security program, including the PIN Security Requirements, followed by a live Q&A session.

Register for the November 8 session here.

Register for the November 10 session here

.

PCI Security Standards Council invites industry input during next phase of standards development

 The PCI Security Standards Council has launched its formal feedback period on version 2.0 of the PCI DSS and PA-DSS, inviting Participating Organizations and assessors (QSAs) to provide suggestions and commentary on the development of the next PCI Standards.

The PCI Council works on a three-year lifecycle to update the PCI Standards. Feedback from Participating Organizations representing merchants, banks, processors, vendors, security assessors and those across the payment chain is the foundational element of this process. The feedback period takes place a full year after the new versions of the DSS and PA-DSS were released, giving organizations the opportunity to provide input based on their experiences in implementing the standards. As of December 31, 2011, version 1.2.1of the PCI DSS and PA-DSS is retired and all validation efforts for compliance must follow version 2.0.

Beginning today, PCI stakeholders can submit input through a new online tool that automates and makes feedback easier to supply. All feedback will be reviewed by the Council and included in discussion for the next iteration of the PCI Standards.

In the Council’s last feedback cycle, hundreds of comments were received, with more than 50 percent coming from outside the U.S.

 “With the Council’s Participating Organization base having grown substantially in Europe over the last year, and particularly with increased global representation on our Board of Advisors, we’re really looking forward to receiving input from our stakeholders around the world,” said Jeremy King, European Director, PCI Security Standards Council. “In a changing payments environment, it’s this input that will help us maintain a global standard that ensures the protection of cardholder data remains paramount.”

Feedback submissions will be grouped into three categories – Clarifications, Additional Guidance and Evolving Requirements – and shared for discussion with Participating Organizations and the assessment community at the 2012 PCI Community Meetings.

“Our community is made up of experts from across the payments chain, around the world and from organizations of every size, each dealing with different aspects of the PCI process,” said Bob Russo, general manager, PCI Security Standards Council. “We rely on their feedback and unique experiences to help us continually improve these standards for the protection of cardholder data.”

The online feedback tool can be accessed at online here.

.

PCI Security Standards Council opens election for new Special Interest Groups

The PCI Security Standards Council (PCI SSC) opens election for new Special Interest Groups (SIG).

The Council developed Special Interest Groups (SIG) to leverage the expertise of more than 600 Participating Organizations and provide a vehicle for incorporating their ideas and input into the work of the Council. SIGs focus on providing recommendations to the Council which often results in guidance for the Community to interpret and implement the PCI Standards.

To date SIG participants have made significant contributions to Council resources on topics such as

  • Wireless security
  • EMV chip
  • Point-to-Point Encryption
  • Virtualized environments

Participating Organizations are invited to submit votes for their top three of the seven shortlisted proposals. The proposals were submitted by a cross-section of merchants, acquirers, industry associations, service providers, Qualified Security Assessors (QSA) and vendors. They cover the following topics:

  • Small ecommerce merchants
  • Effective patch management that is compliant with PCI DSS requirement 6.1
  • Administrative access to systems and devices
  • Cloud
  • Small businesses
  • Hosted, managed application and service providers
  • Risk assessments

“The Council is delighted at the level of input we’ve received from the community in the form of SIG proposals,” said Jeremy King, European director, PCI Security Standards Council. “I’m particularly pleased to see such broad global representation and perspectives in submissions. Securing payment card data is a global challenge and the Council’s worldwide stakeholders are uniquely positioned to partner with us in tackling this.”

The polls close on Friday November 4th 2011.Results will be announced following the election, together with next steps on how to volunteer for the Special Interest Groups.

.

PCI SSC updates PTS program for Encryption and Mobile

The PCI Security Standards Council have provided and update to the PIN Transaction Security Program for secure point-to-point encryption (P2PE) and mobile payment acceptance.

PTS 3.1 adds two new approval classes that facilitate the deployment of P2PE technology in payment card security efforts, building on the Secure Reading and Exchange of Data (SRED) module previously introduced in version 3.0 to support the secure encryption of account data at the point of interaction. Until now, the PIN Transaction Security program has applied to PIN acceptance devices only. With the release of version 3.1, requirements will expand for the first time to include protection of account data on devices that do not accept PIN, meaning any card acceptance device can now be PTS tested and approved and eligible to deploy point-to-point encryption technology.

Additionally, the requirements have been updated to address secure (encrypting) card readers (SCR), further facilitating the deployment of P2PE technology and the use of open platforms, such as mobile phones, to accept payments. Merchants looking to use magnetic stripe readers (MSRs) or MSR plug-ins now can ensure these devices have been tested and approved to encrypt data on the reader before it reaches the device.

The Council published a roadmap outlining its approach to point-to-point encryption technology in the cardholder data environment late last year and recently released the PCI Point-to-Point Encryption Requirements, the first set of validation requirements in its P2PE program. Findings from its initial examination of mobile payment acceptance applications in light of the PA-DSS were published in June, and in collaboration with industry experts in an SSC-led Mobile Taskforce, the Council aims to deliver further guidance by year’s end.

“We know how eager the market is to implement P2PE, said Bob Russo, general manager, PCI Security Standards Council.― By releasing these updated requirements now, merchants using any type of card acceptance device will have the ability to encrypt data at the point of interaction and ensure its protection. Additionally, we・ve opened the standard up to address mobile devices ・ another area of great interest to our stakeholders.”

The updated PTS Security program requirements and detailed listing of approved devices are available on the Council’s website.

There will be a session devoted to PTS program updates, including a dedicated question and answer forum, at the PCI Community Meeting taking place in London, England on October 17-19.

Additionally, the Council will host a Webinar for Participating Organizations and the public outlining the newest updates to the PIN Transaction Security program, followed by a live Q&A session.

To register for the November 8 session, please visit here.

To register for the November 10 session, please visit here.

For more details on PCI visit the PCI Resources page here.

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: