PCI: PCI-DSS Updates, New Guidance Released PCI's Russo Says Guidance Hits EMV, Encryption
Bob Russo, GM of the PCI Security Standards Council, says simply that PCI security standards are maturing "gracefully."

In fact, Russo says the global payments community is pleased with the standards, which is why the council decided to make no significant changes this time around. The PCI Data Security Standard and the PCI Payment Application Data Security Standard have not changed significantly this year. But what the industry can expect in 2011 are clarifications and some new guidance regarding emerging technologies.

Versions 2.0 of the PCI-DSS and the PCI PA-DSS take effect Jan. 1, but merchants and banking institutions have until Dec. 31, 2011, to complete their compliance initiatives. The council also officially released guidance on emerging technologies, including the Europay, MasterCard, Visa standard (EMV) and point-to-point encryption. Some of that guidance was referenced in late September, during the PCI North American Community Meeting. More guidance is expected, as the council continues to review other emerging technologies such as tokenization, Russo says.

How some of this emerging technology might impact PCI remains to be seen, Russo says. It's been suggested by some in the payments industry that tokenization negates the need for PCI compliance, because tokenization takes the card number and the consumer information out of the transaction. But Russo says standardization of any emerging technology is a necessity, even if that technology replaces the need for compliance with existing standards.

"We don't think that any of these technologies is actually going to be a silver bullet," Russo says. "There will still be things that need to be addressed by the standard. Suffice it to say that there isn't a standard yet for tokenization, so, consequently, you've got a number of different vendors out there selling different solutions."

During this interview, Russo discusses:

  • The new lifecycle for updates to PCI security standards;
  • New guidance and emerging technologies; and
  • Improving services for the payments community through initiatives like the PCI Internal Security Assessor Program.

Russo brings more than 25 years of high-tech business management, operations and security experience to his role as the general manager of the PCI Security Standards Council. Russo guides the organization through its crucial charter, which is focused on improving data security standards for merchants, banks and other key stakeholders involved in the global payment card transaction process. To fulfill this role, Russo works with representatives from American Express, Discover Financial, JCB, MasterCard Worldwide and Visa International to drive awareness and adoption of the PCI Data Security Standard.

PCI Guidance: What to Expect

TRACY KITTEN: The PCI Security Standards Council released its new data security guidance, with no significant changes to the PCI Data Security Standard or the PCI Payment Application Security Standard. Only guidance was released. What can the industry expect, and how far will the guidance go? Bob Russo, general manager of the PCI Security Standards Council, speaks today about the PCI Council's decision this year to pass down only guidance on the PCI DSS and the PCI PADSS.

Bob, in September we followed up on some of this discussion about guidance during our coverage of the PCI Community Meeting, which took place in Orlando. Since then, the council has collected feedback from the payments community. Can you tell us what changes or revisions, if any, have affected the guidance you expect to pass down, based on feedback you received during the September meeting?

BOB RUSSO: The good news is that the community at large, both in the in the U.S .and in Europe, gave us a really good feedback and a warm reception on all of the clarifications that we made, as well as on the decisions that we made going into 2.0, as well you would expect they would, since they, are the ones who gave us the feedback on what to change or clarify to begin with. So, by and large, there were no surprises. Everyone was very, very receptive to what we were talking about. We heard about lots of interest in education issues and lots of interest in the emerging technologies, as we refer to them. And there is really good acceptance of the fact that we took their advice and moved to a three-year life cycle, as well.

Guidance and Emerging Technology

KITTEN: Now, we've talked quite a bit about guidance and expected changes regarding emerging technologies that will come in the future. The new standards take effect Jan. 1, but merchants and banking institutions will have some grace time for compliance. Is that correct?

BOB RUSSO: That's correct. The way it works is we actually publish the standards, but they don't become effective until Jan. 1 of next year. And, the old standard, 1.2.1, does not sunset until Dec. 31st of 2011. So, merchants will have at least a year to get compliant with the new 2.0. Now, of course, we are encouraging them to not wait a year, but to get into it as quickly as they possibly can. But if they are in the middle of doing an assessment right now, they will have an opportunity to complete that assessment with 1.2.1.

KITTEN: Could you talk a little bit about the guidance you expect for some of the emerging technology, such as tokenization and end-to-end encryption, and how do the two fit together, if at all?

BOB RUSSO: When we first started looking at the different technologies, we were looking at a way to make the standard stronger, if you will, by adding additional layers of security. And, the initial ones that we looked at were EMV, which is the chip standard, and point-to-point encryption. We made a very good start. We went out to a number of industry experts on each one of those things and discussed them with some very large user groups within the council. We got the feedback and had a lot of these things vetted by other standards agencies, such as EMVCo. And so, that's really all it is -- a start. We will be adding additional information to these things, and making some recommendations as we get into 2011, not only on EMV and point-to-point encryption, but also on tokenization. One thing to keep in mind is that there are no standards for any, well, beyond the EMV standard. There are no standards for point-to-point encryption or for tokenization at this point. We need to sit down and really take a hard look at these things and define, specifically, how they possibly help the cardholder data environment. Do they, in some cases, satisfy any requirements within the standards? Again, that information is still being worked on. We have a good start. The documents that have been published, up to this point, are, as you mentioned, guidance documents. They are not additional requirements to the standard.

Bypassing PCI with Tokenization?

KITTEN: It's been suggested by some in the payments industry that tokenization, because it takes the card number and the consumer information out of the payments transaction, negates the need for PCI compliance and end-to-end encryption. How does the council view that perspective?

BOB RUSSO: It's still too early to tell. You know, we don't think that any of these technologies is actually going to be a silver bullet, whether it's point-to-point encryption or tokenization or some combination of the two. There will still be things that need to be addressed by the standard. Suffice it to say that there isn't a standard yet for tokenization, so, consequently, you've got a number of different vendors out there selling different solutions. One takes the first six, one takes the middle eight, and one takes the first six and the last four and tokenizes it; and another one gives you a new token every time. So, really, there needs to be some standardization here. And, there are other standards groups that are looking at doing this. X9, as an example, is looking at doing this, as well. It's a little too early to tell how well these things are going to be defined, and we are working diligently with our special-interest group to do just that.

Tokenization and the Payments Chain

KITTEN: I've heard about several discussions surrounding tokenization that came up during that PCI event in Barcelona. Moving beyond mere payments, now tokenization is being used in the call center, from what I understand. Can you explain some of this?

BOB RUSSO: Certainly, a call center has the ability to take a credit card number over the phone, and now everything is being stored digitally; and if it is being stored digitally, it can be searched, and if it can be searched, then it needs to be encrypted or moved out. So, I don't know that I would call the actual solution "tokenization." I've seen a number of things out there that will mask these things, so that you can't get them digitally; but there are discussions going on now, specific to call centers and guidance, that will be coming out as well.

PCI and EMV

KITTEN: Now, you mentioned EMV earlier, so I'm going to bring us back to the EMV conversation. The council is working closely with EMVCo., the standards body responsible for compliance with the Europay, MasterCard, Visa standard. Tell us what role the PCI Council will play, if any, going forward, where migration and payments associated with EMV are concerned.

BOB RUSSO: We did consult with EMVCo. when we put our paper out. We gave them the opportunity to comment, which they obviously did. We are very happy, and we are working closely with them. As for when an EMV environment might exist in the United States or some place where it isn't, that's outside the purview of what the council does. As the landscape changes, so will the standard, but it's certainly not within our purview to go ahead and say that, EMV is something that is going to be used in one area or another.

PCI Compliance Training

KITTEN: During the PCI Community Meeting, the council announced the launch of an internal training program for quality assessments. Could you tell us a bit about that program and how it has been received by the industry thus far?

BOB RUSSO: First of all, the program is called the ISA program, the Internal Security Assessor Program. And, basically, what we are doing is opening up our training to companies so that they can send their internal assessors in to get better prepared for an assessment, to understand specifically what the QSAs are going to be looking for and to implement a better security program internally. In some cases -- and this is not something that the council has anything to do with in terms of compliance -- the brands will allow large merchants, Level 1 and Level 2 merchants, to do their own assessments internally. I would encourage your listeners to check with the brands individually, to find out who, in fact, would allow that. But, this ISA Program certainly is one way to get your people prepared to do that, as well.

PCI: Maturing Standards

KITTEN: In closing, what final points would you like to highlight or reiterate regarding PCI guidance and emerging technology to our audience?

BOB RUSSO: The biggest thing that we have learned from our community meetings and all of the global feedback that we have seen so far this year, is that the standards are maturing and they are maturing gracefully. There haven't been very many changes to the standards this time around. Certainly, it is clear to us that different technologies, which add additional layers of security, are going to be very important going forward. And that, of course, is a big focus for the council over the next three-year cycle.




Around the Network