Setting a Tokenization StandardPCI SSC Says Emerging Tech Needs Guidance
"From a merchant perspective, there has to be a buyer-beware approach to any type of solution you are looking at today," Leach says. "There is the need to not only be secure, but you have to demonstrate security to your third parties, your business partners. And what we believe is absent in today's market is a consistent way to test that the security is actually effective."
Standardization, Leach says, will be critical going forward. During the PCI Security Standards Council's North American Community Meeting, held Sept. 22-23 in Orlando, Fla., Leach shared his insights regarding a number of emerging technologies, including tokenization.
In this interview, Leach discusses:
- How point-to-point encryption could simplify PCI compliance;
- Why security testing must be standardized and validated;
- How emerging technologies must work in concert with the PCI Data Security Standard.
Leach is the chief technology officer and lead security standards architect for the PCI Security Standards Council. In his role with the council, Leach has developed and implemented a comprehensive quality assurance program to promote consistency within the council's QSA, ASV, PA-DSS and PED programs. Before joining the council, Leach led the incident-response program at American Express, where he reviewed more than 300 cases of account data compromises. Over the past 15 years, he has held positions in systems administration, network engineering, IT management, security assessment and forensic analytics. Leach holds a master's degree in telecommunications and network management and a graduate degree in information security management from Syracuse University.
PCI on Encryption, Tokenization and EMVTRACY KITTEN: How will emerging technologies impact security within the payments landscape? That's a question the Payment Card Industry's Securities Standards Council is tackling. During the PCI Standards Council's North American Community Meeting in Orlando, Troy Leach, the PCI Council's chief standards architect, spoke with us about point-to-point encryption, tokenization and EMV chip and PIN payments, and how those three technologies fall into the PCI fold.
TROY LEACH: Point-to-point encryption has the opportunity to take a merchant environment, which normally would be required validation from the point that card information enters that environment, all the way to the external fire wall and out to the bank. The PCI Council has decided that with certain types of criteria and certain domains validated, maybe that environment is minimized. The card data environment goes from the entire environment of a merchant to a smaller environment, where it is simply the point of encryption, the key-management elements, the merchant environment where that device or encryption mechanism lives, as well as the point of decryption. If we do that, there is the opportunity for us to simplify PCI compliance for many of our merchants.
Standardizing EncryptionKITTEN: When we talk about end-to-end encryption, there is really no standardization. Why is standardization needed?
LEACH: There are many technologies already in the marketplace today, and from a merchant perspective, there has to be a buyer-beware approach to any type of solution you are looking at today. There is the need to not only be secure, but you have to demonstrate security to your third parties, your business partners. And what we believe is absent in today's market is a consistent way to test that the security is actually effective. So, with standardization you have an opportunity to have a consistent way to test; and there has to be a consistent way for a vendor to demonstrate to a merchant or service provider, and for a merchant to demonstrate to its partners that, "Yes, this has been tested against common criteria that has been agreed to among a broader group of subject-matter experts." So, standardization is a critical path forward, and the council has created a road map that we believe will get us there in the near term.
PCI Guidance on TokenizationKITTEN: I also wanted to ask a bit about tokenization. It's another way to protect cardholder data. But, when it comes to guidance, this is something new that the council is looking at. And how are all of these emerging technologies working together, when we think about EMV, tokenization and PCI-DSS. Why do we need to have all three?
LEACH: Well, currently we have two guidance papers or documents already for point-to-point encryption and EMV. And we are in the process of developing a similar guidance paper for tokenization, and that work is being done in collaboration with a special-interest group of subject-matter experts; we hope to have a draft of that for review by the fourth quarter of this year. So, I would anticipate guidance sometime after that, hopefully sooner rather than later, because the council has been very aggressive in this particular area. We want to go to market as quickly as possible with guidance for merchants and service providers that are considering tokenization.
You have a great question, with providing the three types of technologies and how they can work in concert to provide a better security posture for an organization. EMV has quite a few benefits that we outline in our guidance around the authentication of a transaction. You have point-to-point encryption that gives you some good security principles for the transmission of that information, and one of the benefits of tokenization that we see is that it can really eliminate any need for storing any type of transaction after it has been authorized. So, I would agree with you that there is a need, or an opportunity, I should say, for these three technologies to work together and really reduce the effort that a merchant may go through to validate their PCI compliance.