PCI Evolution Tied to Emerging Technologies

Encryption, Tokenization Top of Mind with Merchants, Processors
PCI Evolution Tied to Emerging Technologies
Emerging technologies are the hottest topics of discussion within the PCI Security Standards Council community meeting in Las Vegas this week.

The question, says David Taylor, founder of the PCI Knowledge Base, a PCI research firm, is 'How will PCI's security standards council embrace end-to-end encryption, tokenization and other emerging technologies?'

End-to-end encryption was called for by Heartland's CEO Robert Carr after the payments processor was discovered to have been breached in 2008. Tokenization is a technology that enables a token to replace a credit card number in an electronic transaction. This token, or reference number, prevents the theft of the credit card number during electronic transmission and storage of a transaction. Since the reference number can't be used for transactions or fraudulent charges, there is little harm done if it's stolen.

"The council has to embrace the beyond," Taylor says. "It sounds kind of like science fiction, but that is what they have to do."

In the wake of recent breaches such as Heartland and Network Solutions, the Council has been accused of not evolving its standards fast enough to keep pace with new technologies and solutions, Taylor says. "Technology is changing faster than the standards; they're always going to be behind the curve."

New Study ID's Hot Technologies

One big step toward at least understanding the emerging technology challenges comes with the unveiling of a new survey of how PCI-compliant companies are using new technologies and solutions. The survey was conducted by PriceWaterhouseCoopers (PwC) at the request of PCI security standards council.

Speaking about the results of the survey, conducted over this past summer among 125 companies in 10 countries, Pieter Penning, an analyst who helped conduct the study, says the two primary drivers for emerging technologies among PCI merchants are reducing risk and reducing the cost of PCI compliance. "This is the starting off point, with the trends and research showing these technologies are ones that merchants and others in the payment arena are looking at, or actively implementing and using to protect card holder data," Penning says.

The top two emerging technologies mentioned by those surveyed by PwC are - no surprise - end-to-end encryption and tokenization. They are at the top of a list of 12 emerging technologies and solutions that are top of mind with respondents. Two of the other top technologies the survey focused on are virtual terminals, which are used by Google, PayPal and other companies to limit scope of what can be done during the checkout process; and mag stripe imaging, which captures the card's magnetic stripe information.

"It will come as no surprise to anyone that none of these emerging technologies offer a silver bullet," says Mark Lobel of PriceWaterhouseCoopers Advisory Services. The complete survey report is now with the PCI security standards council for review.

"The council will indicate how this will affect the data security standard, after we have had a chance to review it," says Bob Russo, general manager for the council.

The focus on PCI and emerging technologies could have collateral benefit for the PCI community, observers say.

One benefit from the focus of institutions on PCI: They might take a step back to see what other data they hold that could be considered valuable. "Financial institutions and other businesses may benefit from taking a holistic look at what personal identifiable information they are storing, when looking at how they are complying with PCI requirements," says Lobel.

Diana Kelley, principal at Security Curve, says the discussion of virtualization is encouraging. "A lot of work is going on there," Kelley says. "I expect to see it baked in to the next set of requirements, or some guidelines put out in meantime."


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network