Encryption, PIN Security, EMV Top Busy Agenda for PCI Council in 2010

A busy year is on tap for the PCI Security Standards Council, with revisions due not only for the main Payment Card Industry data-security standard but also standards governing PIN-entry devices and payment-processing software applications. Plus, the PCI Council plans to take a close look at two widely discussed security technologies, end-to-end encryption and the so-called EMV chip, general manager Robert Russo tells Digital Transactions News. The Wakefield, Mass.-based PCI Council is responsible for overseeing and upgrading the PCI standards for securing card data, though the five major international card networks enforce them. The main standard gets upgraded every two years, with version 1.2 in effect from October 2008 until the next official release this October. Russo says nothing radical is planned for the next version. “We're starting to see sort of a pattern here, a lot of stuff we're looking at is clarification-type of things,” he says. “Up until now it doesn't look like there are going to be any Earth-shattering changes.” The Council currently is absorbing more than 2,500 comments from PCI stakeholders following last fall's two so-called community meetings, one in the U.S. and the other in Europe. The body's board of directors will get a draft of the new version in May, and over the summer the Council will release summaries of the upcoming release. The new version will be unveiled at the next community meetings?in September in Orlando, Fla., and in Barcelona, Spain, in mid-October. The Council will take last-minute commentary before making the draft official on Oct. 31. At the same time, the Council is analyzing emerging payment card security technologies and in April will begin sharing some of its findings, according to Russo. The first technology in the spotlight will be chip cards. The U.S. is the only major industrialized country not to adopt the EMV chip card, which is more secure than traditional magnetic-stripe cards. It's expensive, however; Aite Group LLC estimates EMV would cost nearly $13 billion to roll out in the U.S. (Digital Transactions News, Jan. 13). The Council also will examine end-to-end encryption, which merchant processor Heartland Payment Systems Inc. is rolling out in the wake of its massive data breach and other payment companies also are adopting. Russo notes that end-to-end encryption has different forms and presents issues of key management and where data are decrypted. “We're going to endeavor to sort of take it apart and see what it means,” he says. Meanwhile, the Council is grinding away on updates to two other sets of rules related to the PCI-DSS, one governing PIN-entry devices, formally PIN Transaction Security, or PTS, and the other for payment card software applications, PA-DSS. The revised software rules will become official Oct. 31, while the PTS revisions take effect at the end of April. At the moment at least, security issues involving PIN-entry devices are by far the most controversial, especially among gas stations and convenience stores, but the flashpoint is network enforcement. The chief issue involves so-called Triple DES technology, which is more secure than older encryption technologies for protecting PINs. Visa Inc. mandated Triple DES for ATMs in 2003, three years before the PCI Council was born. While Triple DES already is part of the PCI rulebook, the technology hasn't yet fully been adopted across all point-of-sale devices. Upgrades can be very costly for some merchants. Gasoline retailers say the cost to upgrade fuel pumps, by some accounts $2,500 to $3,000 per dispenser, could force them to drop acceptance of PIN-debit cards (Digital Transactions News, Sept. 10, 2009). Visa, the biggest card network, has set a July 2010 deadline for fuel dispensers to have Triple DES, but has put off enforcement until 2012.