It’s 2015 and we're being told not to send credit cards as cleartext
PCI Council policy update lets security admins play with crypto LEGO
The payments card industry (PCI) council has reviewed its guidance to encourage businesses to stop slinging credit card data in cleartext by giving the tick to encryption solutions built from different components, rather than products that handle every step of data's journey from merchant to banker.
The change is reflected in the latest Payment Card Industry Data Security Standard guidance PCI Point-to-Point Encryption Solution Requirements and Testing Procedures Version 2.0. and means bits and pieces of encryption wares can be certified, rather than only the overarching kit.
Encryption slingers will now also be able to eat their dog food and use their certified point-to-point crypto (P2PE) kit where they operate point of sales systems.
The new security guidance (PDF) is designed to encourage organisations to use point-to-point encryption to enhance security and simplify compliance with the code.
Council chief technology officer Troy Leach says he hopes to devalue credit card data in the eyes of thieves.
“Malware that captures and steals data at the point-of-sale continues to threaten businesses and their ability to protect consumers’ payment information," Leach says in the canned statement (PDF) announcing the new guidance.
"As these attacks become more sophisticated, it’s critical to find ways to devalue payment card data.
“PCI point-to-point encryption solutions help merchants do this by encrypting cardholder data at the earliest point of acceptance, making that data less valuable to attackers even if compromised in a breach.”
The council wheeled out Honeybaked Ham's IT head Bill Bolton to spruik the benefits of P2PE on the back of the company's crypto deployment.
“To meet that challenge, we’ve worked with a P2PE solution provider to adopt a PCI-validated P2PE payment solution across all our stores in a simplified and cost effective way,” Bolton says.
Merchants can under the updates themselves manage P2PE solutions for point-of-sale locations, separating duties, systems, and functions between encryption and decryption environments, or pay a provider to do that for them. ®