PCI Encryption Standard UpdatedHow Optional Standard Can Ease PCI-DSS Compliance
The PCI Security Standards Council has released version 2 of its PCI Point-to-Point Encryption Solution Requirements and Testing Procedures.
Unlike the PCI-DSS, compliance with the PCI encryption standard is not mandatory for merchants or vendors, says Jeremy King, international director of the PCI Security Standards Council, in an interview with Information Security Media Group. The encryption standard is a complementary standard, he explains.
By implementing PCI- approved encryption solutions, merchants can reduce the number of PCI-DSS requirements they have to comply with, King says.
One of the primary changes included in version 2 of the encryption standard is the addition of guidelines for how large merchants can manage the decryption of their own data, King says. "In version 1, data had to be decrypted by a third-party provider," he adds.
"Some of the largest merchants wanted the option to also be able to manage the decryption of the data in their own data centers," King says. That's because these merchants wanted to maintain control of their encrypted cardholder data so that they could analyze purchases cardholders make in their stores.
"One of the things that actually took the most time in developing version 2 was setting up this new domain 4, which would enable the larger merchants to be able to manage their own point-to-point encryption solution and provide secure decryption and then secure re-encryption," he says.
During this interview, King also discusses:
- How P2P encryption can reduce PCI-DSS compliance expenses for smaller merchants;
- How version 2 of the new encryption standards compares with the earlier version unveiled in September 2011; and
- Why the rollout of EMV should make deployment of PCI-certified encrypting point-of-sale devices easier for U.S. merchants.
King leads the PCI Security Standards Council's efforts to increase global adoption and awareness of PCI security standards. His responsibilities include gathering feedback from the merchant and vendor community, coordinating research and analysis of PCI SCC managed standards in European markets, and driving educational efforts and council membership through involvement in local and regional events. He also serves as a resource for approved scanning vendors and qualified security assessors. Before joining the council, King was the vice president of the payment system integrity group at MasterCard Worldwide.