PCI: New Guidance for EMV, EncryptionPCI Council Issues Recommendations for Emerging Tech
The council's approach with regard to emerging technologies:
- To provide ongoing assessments of emerging technologies and their impact on payment card security;
- To offer recommendations on the use of specific technologies in relation to the Payment Card Industry Data Security Standard.
In a nutshell, the council's guidance papers do not introduce new or additional requirements for compliance with PCI standards, nor do they serve as an endorsement of one technology, such as EMV, over another, a PCI spokesman says.
But the step toward guidance on emerging technology is a good one, most in the PCI community agree. Despite criticism for its lack of changes this year to the PCI-DSS and the Payment Application Data Security Standard, the Council's guidance on emerging technology is expected to help merchants and other payments players make more informed decisions about technology investments.
Jeremy King, head of the council's European arm, and Troy Leach, the council's chief standards architect, say EMV and point-to-point, or P2P, encryption are just two emerging technologies for which the council expects to release ongoing guidance. Guidance will evolve over time, Leach says.
"What are the domains that we need to determine are secure? And what does that roadmap look like going forward? These are things we are addressing," he says.
End-to-end or P2P encryption, Leach says, could simplify compliance with the PCI DSS. "We plan to educate our stakeholders, but it's going to require the involvement of special interest groups," he says. "I think if we form the right partnerships, we form the right teams, we can make valuable changes in this area."
The council is expected on Oct. 28 to release official clarifications for the PCI DSS, but the clarifications do not include new requirements. In August, the council released a brief summary of expected changes to the standard. "We're going into our third generation on a lot of the standards, and we're trying to do a better job to make sure each (standard) has its own specs," King says.