Visa’s just announced best practices are designed to provide guidance and give tacit endorsement to existing end-to-end encryption and, to some extent, tokenization. Merchants are likely to see it as “something else to do” and as further evidence that the card brands will continue to go their own way relative to data security despite the PCI DSS industry standards.
The first thing I noticed in Visa’s new Data Field Encryption Best Practices (DFEBP) V1.0 (apart from the fact that it decided not to follow the industry convention of calling it end-to-end encryption) is the statement that these best practices are designed to “compliment, rather than substitute for PCI DSS.”
To me, this suggests that bankers, merchants, service providers and (of course) vendors who have suggested that end-to-end encryption will somehow substitute for, or eliminate the need for, PCI DSS compliance are getting ahead of themselves. As with Visa’s Payment Applications Best Practices (PABP), which have become a “separate” standard (PA-DSS), the implication is that DFEBP may stand along side PCI DSS as a separate standard.
(See industry reaction—and a worst-case scenario—of the Visa guidelines.)
But DFEBP should not be “all that bad” for merchants who outsource payment processing or who use relatively current software and systems.
The first four best practices focus on how to limit access to card data in clear text and are only slight clarifications of wording already contained in PCI DSS. For example, the use of standard encryption algorithms, allowing the first six and last four digits to be left in the clear and not storing authentication data post authorization. I suspect that much of what’s contained in the best practices is simply there to present a more comprehensive view of encryption in one document rather than to only focus on the “new stuff.”
I suspect that Visa wants to use these best practices to point the way toward greater synchronization between the ANS X9 standards and PCI DSS and to remind people that in addition to driving the industry standards, they also lead and/or participate in most of the relevant X9 committees. This is important, because several of the leading advocates of end-to-end encryption have invoked ANS X9 in a way that suggests they think it’s not dominated by the card brands, which isn’t really true.
For the last four to five years, companies have been told that achieving PCI compliance is much easier if they segment their network. Otherwise, all their corporate systems are in PCI scope. But network segmentation is not a PCI standard, per se. If an organization wants to keep its entire network and the connected systems in scope, it’s up to the company’s management.
One possibility is that the PCI SSC could elect to treat tokenization, end-to-end encryption and virtual terminals the same way. This approach would keep the changes to the standards to a minimum, and it would only necessitate the development of formal QSA and merchant training on each of these technologies and on how to measure the effectiveness of various implementation options. The QSAs would wind up owning most of the problem, and the SSC could market how it is embracing the latest technological solutions, without doing a major rewrite to the DSS.
Another option is to modify the PCI standards by detailing a series of outsourcing options that would include virtual terminals (POS outsourcing), tokenization or end-to-end encryption. Logically, this approach could be written as an extension of 12.8, which focuses on service providers that handle credit card data. There may be other standards (such as 3.4 and 3.6) in which encryption and key management assessment procedures would have to be modified to address the scenario where merchants do not retain encryption keys. The purpose of making such changes to the standards would be to clarify several scenarios where systems and procedures can be deemed to be “out of scope” for PCI compliance reviews. Again, the actual wording will have to include leeway for interpretation to the QSAs and self-assessors. But by presenting scenarios and testing procedures, the PCI SSC can more clearly show how these technologies are reducing PCI compliance scope.
There are a lot of different options for changing the PCI DSS that I didn’t address here, because it’s still pretty early in the process. But I do think it is important for companies to begin now to discuss their plans. I also think this report and its presentation at the SSC meeting are solid evidence that investments in these technologies are “safe,” and that the SSC is not going to turn around and suggest that they are invalid or non-compliant. As always, if you’d like to discuss this topic, visit thePCI Knowledge Base and fill out our “Contact us” form or send me an E-Mail at David.Taylor[email protected].