Monday, November 01, 2010

PCI and Tokenization, Standards, and Log Management

Mike Vizard notes on ITBusinessEdge that Protegrity claims to have the fastest, most distributed tokenization architecture for secure credit card data management. At the same time, virtualization vendors HyTrust, VMware, Cisco, Savvis and Coalfire have announced that they are working on a reference architecture for deploying PCI DSS 2.0-compliant systems on top of virtual servers, which HyTrust CTO Hemma Prafullchandra said is a deployment model that is now officially supported in the PCI DSS standard.

Ulf Mattsson, CTO, Protegrity, notes that chief security and compliance officers also need to consider the following issues:
  • Interoperability: Encryption algorithms, FIPS 140 equipment and key management solutions that are based on industry standards will be necessary to facilitate the sharing of sensitive information across the different stakeholders in the complete payments process, but standardization will require a central body to initiate and arbitrate trust between participating organizations and individuals. This could offer a great opportunity for an established player within the payments ecosystem (retailer, payment processor or vendor) to lead the way.
  • Protect the card:  The beginning of a comprehensive end-to-end solution must always start with protecting the card. Approaches such as EMV smartcards, for example, remove the payment processor from the equation by giving the merchant a direct relationship with the issuing bank. The challenge is that approaches like this need to have wider adoption to make a sustained difference.
  • Tokenizing to reduce audit costs and risk:  Tokenization is an emerging data security method that is closely related to encryption, but instead of encrypting the data in a reversible fashion, tokenization assigns a value that is only associated with the "real" data in a well-protected lookup table. "As merchants and credit card processors continue to struggle with securing cardholder data, many of them are increasingly using this approach to help reduce the scope of their risks. With the allure of easier deployment and smoother interaction with applications, tokenization's biggest draw is the fact it can dramatically reduce the need for costly PCI audits."
"Taking into consideration these factors, I don't see one silver bullet to answer the payment industry's data security problems. Rather, a combination of changes needs to happen that focus on safeguarding data in every part of the payments data flow." Vizard concludes that "the best thing about the new specification is that it calls for a risk-based approach to credit card security, which is code for telling people they need to rank their risks and apply levels of security rationally from there. What that really means is that when it comes to PCI DSS, don’t let the requirements drive you crazy."

Finally, Brian Prince notes in eWeek that the changes in the Data Security Standards taking effect in January focus on Log Management. He quotes Bob Russo, general manager of the PCI Security Standards Council: "If you don’t use a centralized logging facility then your guys have got to look in more places, and chances are if [they] have to look in more than one’ll wind up missing some of this stuff," he said, adding it is a "proven fact that every time we find a breach, it’s always found in the log.” [my emphasis]

Validation against the previous versions of the standards (1.2.1) will be allowed until Dec. 31, 2011 to give organizations time to implement the latest incremental changes. From Jan. 1, 2012 onward, all assessments must be under version 2.0 of the standards.

PS - Gary Palgon, VP Product Management, nuBridges writes: "While the new PCI Data Security Standard 2.0 (PCI DSS) and the Payment Application Data Security Standard 2.0 (PA-DSS) have been released along with the recently issued supplemental guidance documents, 'PCI DSS Applicability in an EMV [EuroPay, MasterCard, and VISA] Environment' and 'Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance' many organizations are now waiting for the subsequent “validation” documents that will eventually accompany this recent guidance.  At the same time, the merchant community is eager for the guidance to be released from the PCI Security Standards Council about tokenization, tentatively scheduled for late November." Palgon leads the Tokenization Working Group within the Scoping Special Interest Group (SIG) and they’ve made great progress in pulling together the beginning of a “tokenization standard,” which will not only help the PCI community, but also those companies wishing to use tokenization beyond just cardholder data, like PII, PHI and other evolving requirements.

No comments:

Web Analytics