PCI Council Issues Guidance on EMV And Point-to-Point Encryption

With end-to-end encryption of payment card data rapidly spreading throughout the credit and debit card industry and calls for the U.S. to replace magnetic-stripe cards with so-called EMV chip-and-PIN cards, the card industry’s security overseer is attempting to ensure that security standards change with the times. The PCI Security Standards Council on Tuesday released what it calls supplemental guidance about the two technologies and how they relate to the Payment Card Industry data-security standard (PCI), whose requirements all merchants accepting general-purpose credit and debit cards must meet.

The EMV and data-encryption guidance papers are the first in a series of PCI Council reviews of technologies and systems involving card security, according to Robert Russo, the Wakefield, Mass.-based Council’s general manager. “These are basically just the start,” he tells Digital Transactions News. “These things are basically to enhance the DSS.”

Card executives widely consider EMV cards to be more secure than mag-stripe cards, and they could greatly reduce card-present and lost-and-stolen card fraud. But EMV cards are not entirely hacker-proof because they do transmit clear-text cardholder account data during a transaction. If intercepted, fraudsters could use such data to make illegal card-not-present purchases. Thus, EMV payment systems still need PCI, according to Russo. “EMV and the DSS are complementary,” he says.

Russo also notes that while vendors and processors have introduced numerous solutions in the past year or so that encrypt cardholder data during the transaction process, there is no commonly accepted definition of “end to end.” The PCI Council uses the term “point-to-point” encryption,” or “p2pe.”

“Tell us from what end to what end?” Russo says. “There’s so many products out there that are calling themselves ‘end to end,’ and it’s confusing. It’s a deceiving term.”

The guidance about EMV and p2pe will not be part of the pending revision of the PCI standard that will be officially released Oct. 28. The Council last month reviewed the planned revision, to be called PCI DSS 2.0, late last month at its North American “community meeting” in Orlando, Fla., with vendors, processors, merchants, and other PCI stakeholders, and asserts that while it has many changes from the current 1.2 version, none of them is major. Another community meeting with European stakeholders is set for Oct. 18-20 in Barcelona, Spain.

The Council previewed the EMV and p2pe white papers at the Orlando meeting. The p2pe guidance is intended to help merchants and PCI assessors that review security systems and validate PCI compliance map out exactly which parts of a merchant’s data systems store or handle card data, according to Troy Leach, the PCI Council’s chief security architect. What’s “in scope” and “out of scope” is a hot topic nowadays because if cardholder data are not present in a database or data-transmission system—out of scope—a merchant’s PCI compliance duties and expenses can be reduced. The problem, many merchants have found, is that card data frequently are endemic in not only their payment-processing systems, but also in other customer-related systems, such as loyalty programs and returns-processing databases.

Next year, the Council plans to issue formal guidance about point-to-point encryption, according to Leach. The focus again will be on precisely defining what parts of a merchant’s system are subject to PCI. “It will not to be to validate DSS compliance, it will be validating the card-data environment,” he says. The requirements could make the process of determining PCI scope “more complex,” he adds, though he wouldn’t say if it would add expense.

Links to the EMV and point-to-point encryption documents can be found through this link to a PCI Council news release: https://www.pcisecuritystandards.org/news_events/press_releases.shtml.

Meanwhile, Verizon Business, which provides audits and other PCI-related services, on Monday released results from a study that say PCI compliance reduces a merchant’s likelihood of suffering a data breach by 50% compared with non-compliant ones. Verizon Business, a unit of New York City-based phone giant Verizon Communications Inc., based its results on PCI assessments by its Qualified Security Assessors (QSAs) in 2008 and 2009. The firm reported earlier that about a fifth of the merchants it surveyed that had suffered a data breach had been validated as PCI-compliant during the last audit before their breach (Digital Transactions News, Aug. 5).

The new study says only 22% of card-accepting merchants are PCI-compliant the first time they are audited, though many did meet individual rules within the standard. Verizon found a pattern in the data compromises—merchants struggle the most in meeting just three of the PCI standard’s 12 major requirements: protecting stored cardholder data; tracking and monitoring access to networks, and regularly testing security systems.