What the Payments World Needs to Know About PCI in 2010

For the past several years, major data breaches of payment information have hit the headlines with shockwaves felt in many businesses and industries, including everyone from the largest merchants to your local corner store. Often financial institutions are stuck in the middle in such circumstances – as either an issuer or acquirer, or having accounts that are affected and corresponding cards that need to be reissued due to a breach at a merchant or processor.

In 2010, there will be more discussion on the topic, particularly as we approach the introduction of the newest version of the Payment Card Industry (PCI) Data Security Standard (DSS) in October. This article highlights measures the PCI Security Standards Council (PCI SSC) has recently initiated and other activities that it is conducting that will help you either manage your own PCI security efforts more effectively, or assist you in educating your merchants and others in the payment ecosystem on the current state of PCI globally.

Remember, this is a global issue. The PSI SSC has made significant gains in PCI programmes and awareness globally, and is investigating how it can incorporate elements like CHIP into how assessments are performed. There is an emerging and growing amalgamation of interests internationally, as more stakeholders understand the necessity of protecting payment card data and in using the PCI standards to build security practices that prevent data breaches. Remember, it’s your security strategy you should focus on, not compliance. Compliance will be a natural consequence of a strong security strategy – and the PCI SSC believes that the DSS is the most effective roadmap for creating this secure strategy for payment data.

PCI Community Meetings: This is Where You Need to be if You are in Payments

Each year, the PCI SSC conducts an annual forum for engaging with participating organisations (POs) and members of the assessment community on the PCI standards. The community meetings offer POs and council stakeholders the unique opportunity to participate in interactive sessions to discuss the newest versions of the PCI DSS and Payment Application Data Security Standard (PA-DSS), as well as the recently released Payment Transaction Security (PTS) requirements. Attendees will get a first look at changes to the PCI Security Standards and have the opportunity to provide feedback to council management, as well as engage in dialogue with representatives from each of the payment card brands at informal question and answer sessions. This year’s agenda also includes presentations from industry experts on current issues surrounding payment card security, law enforcement and data breach investigations. The community meeting is the annual forum to hear updates from the members of all special interest groups (SIGs), plus attend special sessions for qualified security assessors (QSAs) and approved scanning vendors (ASVs).

Registration details for the PCI SSC 2010 community meetings can be found here:

  • North America: 21-23 September 2010, Orlando, Florida.
  • Europe: 18-20 October 2010, Barcelona, Spain.

The PCI SSC is really looking forward to sitting down with POs face-to-face for a productive discussion about the standards and how we can continue to work together to address the various needs of stakeholders across the payment chain to secure cardholder data globally.

Other Key Dates to Mark in 2010

Aside from those key dates, the other calendar items payment professionals should have in mind include the following:

Summer

The PCI SSC will be making the Feedback Highlights document available on its website, which will contain insights into the types of feedback it received during the last feedback period.

After review by the council’s elected board of advisors, it will provide a summary of proposed changes to the DSS to POs and the market.

The council will release its emerging technology framework and a more detailed white paper on EMV technologies; this is part of a series of guidance to examine emerging technologies, like EMV, point to point encryption and tokenisation to help you better understand how these technologies may satisfy certain requirements of a PCI audit.

Late autumn

This autumn, following the community meetings, the next iteration of the DSS and PA-DSS standards will be released to the public. Following the release of the latest iteration of PTS requirements in May, it means that, together – with your feedback and the feedback of your peers – we will have effectively updated all three of the standards we manage by the end of this year. That’s quite a feat, and we greatly appreciate all of you who have provided feedback, participated in a SIG, or joined as a PO and have helped to get the PCI SSC to where it is today.

While we are on the topic of changes to the standards, let’s take a look at the first to be updated and some of the changes in the latest version of the PTS requirements.

PIN Transaction Security (PTS) Requirements

Last year, the PCI SSC added payment technologies, such as unattended payment terminals and non-user facing devices hardware security modules, to the Personal Identification Number (PIN) Entry Device (PED) standard and renamed it the PIN Transaction Security (PTS) requirements to better reflect the broader environment impacted by the standard. In May, it released a new iteration of this standard – PTS 3.0, which makes it much easier for manufacturers to create the physical hardware necessary to conduct secure payment transactions.

A culmination of the three-year lifecycle review process, incorporating feedback from hundreds of constituents, this latest version is designed to streamline and simplify testing and implementation by providing a single set of modular evaluation requirements for all PIN acceptance Point of Interaction (POI) terminals. It also includes three new modules for device vendors and their customers to secure sensitive card data.

Until now there were three separate sets of requirements for Point of Sale PIN Entry Devices (PED), Encrypting PIN Pads (EPP), and Unattended Payment Terminals (UPT). Version 3.0 simplifies the testing process and eliminates overlap of documentation by providing one modular security evaluation program for all terminals and a single reference listing of approved products.

What this means for you is that the PCI SSC has strengthened and restructured existing requirements that make it easier for manufacturers of the hardware and the modules powering them to more effectively build approved PIN pad devices that are compliant with the PCI standards. These appliances and specific components are submitted to the PCI SSC labs for review, where it posts the lists of approved PTS devices (and payment software applications compliant with the PA-DSS) on its website.

How this affects your payment security programme is really quite simple: check the PCI SSC website and look to ensure that the equipment you are using has been approved by the council and proven to be PCI compliant. The council has done all of this research and testing so that you won’t have to. This is one of the quickest and simplest ways to shore up your security efforts and check your hardware and software is not storing prohibited data.

Internal Security Assessor Programme (ISA)

The other major announcement the PCI SSC has made this year that directly affects your own PCI security programmes, or those of your client portfolio if you are an acquiring bank, is the Internal Security Assessor Programme (ISA). This programme, a PCI DSS training and certification for internal assessment staff, is a direct response to PO feedback on the need to improve educational opportunities for internal staff. With the new ISA programme, the PCI SSC is strengthening its commitment to providing you with the necessary resources to help you build an ongoing and vital security process within your organisation and protect cardholder data.

The three-day course is designed to test and qualify in-house security personnel on how to validate and maintain ongoing PCI compliance within their organisations. The session will arm attendees with the knowledge and resources needed to:

  • Enhance the quality, reliability, and consistency of internal PCI DSS self-assessments.
  • Support the consistent and proper application of PCI DSS measures and controls.
  • Effectively facilitate interactions with QSAs.

People and processes continue to be integral in developing a strong security strategy and meeting PCI requirements. With this new training offering, organisations have the chance to develop their own in-house PCI compliance experts, and with the many other tools and resources provided by the council, can implement a stronger ongoing security process.

Reinforcing the global nature of the PCI SSC’s mission, the first course took place in Sydney, Australia on 19-21 May, and the first session for North America took place in Columbus, Ohio at the end of June. Others are scheduled for 25-27 August in Seattle, Washington and at our forthcoming community meetings, providing participants with an opportunity to get the most value out of their week in Orlando or Barcelona. Keep an eye on the education section of the website for details on future training sessions.

Conclusion

Everyone recognises that protecting the credit card payment process can be a daunting task, but every little bit of security helps. As you move forward on your journey, just remember all the tools and resources that are out there to assist in the building of your security strategy. Build with security in mind and compliance will follow.

Thank you for your participation and feedback so far this year, and we look forward to seeing you all at the PCI community meetings in the autumn.

11 views

Related reading