Changing standards in credit card security
The security standards of the credit card industry are changing as there is a shift with regard to handling the data of the card holder. The Payment Card Industry Security Council or the PCI seems to have released a couple of documents last week specifying point-to-point encryption starting with the swipe of the card to the encryption within the card, which is the chip that is EMV encrypted. However, neither of the documents mentions anything about adopting the new requirements by the PCI-compliant merchants. Instead, one could get an overview of the PCI requirements wherein the merchants have to follow 12 requirements in case they handle the data of the card holder. The picture would be much clearer by the end of the month when the new version would be released.
In practice, the cardholder data is masked from the point of sale to the issuers and hence the changes that are expected to take place would be a huge market in the years to come. General Manager, PCI security council, Bob Russo feels that it would be deceptive to call this encryption end-to-end. He also states that segments may or may not be encrypted in the payment process. As the council has commented on these encryptions for the first time, Russo`s argument is that the encryption systems are in fact point-to-point and hence the council`s reference of P2PE (point-to-point) with regard to the market is valid.
The encryption methods need to be validated and it should be ascertained that the hardware as well as the software is being implemented properly. Encryption alone may not suffice in order to comply with the PCI DSS, states Troy Leach, the Chief technology officer (PCI Security Council). He also states that validations by PCI DSS assessors are required and P2PE has a long way to go before it is found to be secure.
The five domains that need validation by PCI DSS assessors are application security-card holder data should not be stored, encryption device – must be tamper resistant, merchant encryption environment-IT systems need to be validated, key management-annual changes in encryption keys, as well as decryption.
EMV is being used outside the U.S. In UK smart chips are embedded in the cards, wherein the card user might be required to enter the PIN to complete a transaction. This offers protection against “in person” fraudulent practices. PCI DSS would be required even in places where merchants have EMV in place, because PCI DSS card holder data is removed once the customer leaves. In theory, it seems for the moment at least that both EMV as well as PCI DSS complement each other.