The PCI Security Standards Council (PCI SSC) issued its first guidance document outlining the point-to-point encryption market, warning merchants of the possibility of vendor lock-in and calling current implementations too immature to properly evaluate.
In the PCI encryption document, Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance, the council explains how the latest encryption technologies can simplify the validation process by encrypting cardholder data at the time it enters a payment system and transport it safely and securely to payment processors, where it is decrypted.
“There are a lot of these so-called end-to-end encryption solutions cropping up all over the place and it could create a lot of confusion among merchants,” said Bob Russo, general manager of the PCI DSS Council. “This is by no means an endorsement of the technology; it’s just an early document to set the stage for more information to come.”
Encryption is covered under the current PCI Data Security Standards, but how encryption is deployed has become more complex. Security vendors and payment processors have offered a number of end-to-end encryption technologies as a way to streamline PCI DSS validation and better secure credit card data. Princeton, N.J.-based Heartland Payment Systems Inc., which is dealing with one of the largest data breaches in U.S. history, is trying to push the payment industry to adopt end-to-end encryption throughout the entire payment process. Other payment processors are jumping on board with different plans, which include point-to-point encryption, tokenization and other technologies designed to protect credit card data, including First Data and RBS WorldPay.
Keith Primeau, store owner of Bain’s Deli and several other restaurants in the Philadelphia region, said he doesn’t worry about vendor lock-in. The former Philadelphia Flyer hockey player called encryption a mature technology and said he puts his faith in Heartland to protect his customer’s data so he could focus on his businesses.
“I understand the need to insulate and secure the restaurant and myself as much as possible for the benefit of our patrons,” Primeau said. “I wouldn’t call myself technologically savvy so I’m really asking [Heartland] to protect me and my customers.”
The deli processes about 50 credit card transactions a day. Primeau said the extent of his evaluation of Heartland’s E3 end-to-end encryption system was reading materials sent by the processor. Primeau said he was convinced the new system would assure patrons he was being proactive about their security. Vendor lock-in would probably be an issue for larger businesses, he said.
Troy Leach, chief technology officer of the PCI SSC, said a future document outlining validation requirements will give more detailed information on how the technology will be evaluated by qualified security assessors (QSAs). Leach is encouraging merchants to improve data discovery processes prior to deploying encryption to ensure credit card data isn’t leaking into other systems. QSAs and merchants will also receive training on remote administration of encryption and proper ways to administer the decryption environment.
“Encryption has been around for a long time, so there are mechanisms of encryption that are very mature,” Leach said. “Regardless of what form of encryption there is, there must be some form of tamper resistance. You have to be able to demonstrate that the encrypted environment is beyond the ability of physical and logical tampering.”
Leach said the decryption environment — the endpoint where the data is unencrypted in the payment process — is the most critical part of the payment process. Decryption and key management typically take place at the acquirer or in the payment processor environment. The council needs to address larger merchants that are decrypting the data within their environment for loyalty programs and other initiatives, Leach said. The goal is to minimize the systems between the two points in the encryption process.
In addition, the PCI SSC is looking to further develop a key management standard, Leach said. Requirements 3.5 and 3.6 of PCI DSS address key management at a high level for merchants. A new key management standard would be more in-depth, outlining the controls that need to be in place for detailed validation by a QSA.
“The decryption point is possibly the most critical area because once decrypted, that information will be in clear text in that environment, so the ability to demonstrate PCI DSS compliance and how those keys are managed is extremely important.”
Heartland CIO Steven Elefant, who is overseeing the deployment of Heartland’s E3 technology among about 5,000 Heartland merchants, said his company’s technology shouldn’t be described as “point-to-point” encryption. Heartland is trying to distinguish itself from other vendors that use software to encrypt credit card data. E3 uses hardware modules to perform the encryption and decryption.
“Our end-to-end solution certainly falls within the guidelines of what PCI calls point-to-point, but there is a distinction. By end-to-end we mean from the time the card is swiped until we deliver it to the brands; that’s truly end-to-end,” Elefant said. “It’s everybody’s intention to make this process as secure as possible and unfortunately the weak links tend to be at the edges.”