Defending PCI: 'Don't Blame the QSA's'

Credit EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

Since the announcement of the Heartland data breach in January, the merits of the Payment Card Industry Data Security Standard (PCI DSS) have been questioned, and Bob Russo has led the defense.

Russo is general manager of the PCI Security Standards Council, the group responsible for the development, management, education and awareness of the PCI Security Standards. In an exclusive interview conducted at the council's recent community meeting in Las Vegas, Russo discusses:

Russo brings more than 25 years of high-tech business management, operations and security experience to his role. He is responsible for driving the organization's policies, as well as meeting its goals to create education programs, establish pools of certified Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs) and incorporate feedback from all stakeholders across the payment chain into the work of the Council and the development of new standards. In addition, he oversees the PCI Security Standards Council's training, testing and certification programs for QSAs and ASVs.

LINDA MCGLASSON: The future of PCI -- how do you see it shaping up?

RUSSO: At this point, it's a busy future, is what it looks like to me. I made an analogy this morning about yelling at the ocean because the tide keeps coming in and washing away your house. The tide is going to continue to keep coming in; it's not stopping, no matter what we do. There's always got to be something that's got to be done, and hopefully we'll stay abreast of what these things are by getting feedback by people that are dealing with it on a regular basis, added with the experience that we bring to the table. But this feedback is invaluable to us.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

MCGLASSON: In terms of end-to-end encryption issue and tokenization, where do you see those two playing out?

RUSSO: End-to-end encryption and tokenization are just two of 20 or 30 or 40 different solutions that can be added on to make you more secure. Every time we talk about security, the first thing we say is 'Take the layered approach.' So, they're two more things that you can do, but they don't negate the need for the standard. I think Chris Novak said there were no silver bullets out there really, and there is no silver bullet out there. As you're encrypting, you have to decrypt - [data] has got to be protected at that point. I don't like the term end-to-end encryption; I like the term point-to-point encryption a little better. And what point are we talking about? From what point to what point? When somebody says end-to-end, the connotation is that it's true to the entire process, but very often these things will encrypt at the swipe and decrypt at the processors, and then re-encrypt again and then go someplace, and there are keys that have to be handled throughout this thing. It's just horrendous. It is a solution; it will probably save you some effort on complying with the standard, certainly not totally. But there's a price to pay for it. You really need to think about what you're doing, and the reason that we're not endorsing one or the other or any of these things is because, as I say, there are 20 or 30 of these solutions out there. Some people have already invested money running down that path, and we can't forsake what they've done for recommending something else. There are multiple ways to skin a cat, and we're concerned that it's secured. That's all we're concerned about, and if you do it one of 10 different ways, fine.

MCGLASSON: Tokenization -- same drill?

RUSSO: Same drill. There are lots of people out there using tokenized solutions at this point. They don't cover the entire thing. They're really, really good, some of them out there. We'll be looking at not endorsing a particular product or service from somebody. We will be looking at these technologies and say, 'Okay, if you're using a tokenization-type technology, it needs to do these five or six or seven things. It has to be those things; otherwise, we're not going to recognize it as being something that you can layer on to the standards.' So, we've got to find out more; we've got a lot of raw data coming today from PriceWaterhouseCoopers. It's raw, raw data. There are no recommendations. We asked them to do some surveys and research for us, and that's what they've done, and they're just going to come back and say, 'Okay, this is the result from the survey, and we asked people these questions, and we heard this back. 'So, these are the things that we're hearing, and we'll have to look at those in conjunction with other things.