At the PCI SSC Community Meeting last week, the biggest highlight was the presentation of a report the group sought from PricewaterhouseCoopers (PWC). The first presentation of the PWC report of PCI Emerging Technologies made it clear that by expanding the technological scope of PCI DSS, companies will be able to reduce the scope of their PCI compliance efforts. High priorities over the next year will be end-to-end encryption, tokenization and virtual terminals. But is it safe to act now?
It's clear that Fortune 1000 merchants still enjoy their distaste for PCI DSS and their distrust of the process. And it’s fair to say that many merchants actually hate the PCI standards and their purveyors. At last week’s meeting, the Standards Council and the card brands attempted to embrace their detractors via the oft-repeated “we want your feedback” refrain. The response? The merchants in attendance were generally well behaved in public (perhaps they fear reprisals), and there were no reported fistfights, as much fun as that would have been.
I think one of the reasons for the less-than-hostile response was the PWC report itself, which was the highlight of the event. The report made it clear that the SSC (and, presumably, the card brands) were open to making some much-needed changes to the standards. Most of the changes that seem likely in the near term will involve embracing some increasingly popular security approaches that focus on reducing the scope (footprint) of credit card data in the typical organization.
The consultants at PWC began with an analysis of 12 security technologies that emerged from 160 interviews with industry players, and then narrowed the list for their “deep dive” investigation to several that they concluded had the best potential to be automated, could be integrated with existing infrastructures and could have a meaningful potential impact on PCI scope, rather than being treated simply as compensating controls. The three technologies they chose were end-to-end encryption, tokenization and virtual terminals, all of which have the potential to significantly reduce the size and scope of the credit card data environment in most companies and, thereby, reduce PCI compliance management costs and security breach costs.
The implications of the PWC report as they are integrated (in a to-be-determined way) into the PCI SSC will challenge the security strategies and architectures of most Fortune 1000 companies. Essentially, all three approaches PWC studied are focused on shifting the storage of credit card data outside the enterprise. That’s outsourcing. Not the most popular term in large IT shops, which have spent millions of dollars on enterprise security programs--“defense-in-depth” security architectures to protect confidential data, of which credit card data is but one type. Even as the corporate IT security philosophy aims to “protect digital assets,” merchants have been extremely vocal at the CEO and CFO levels about not wanting the credit card data on their systems. So how will the PCI SSC and merchants respond to these conflicting priorities? There are a couple of distinct scenarios.
For the last four to five years, companies have been told that achieving PCI compliance is much easier if they segment their network. Otherwise, all their corporate systems are in PCI scope. But network segmentation is not a PCI standard, per se. If an organization wants to keep their entire network and the connected systems in scope, it’s up to the company’s management. One possibility is that the PCI SSC could elect to treat tokenization, end-to-end encryption and virtual terminals the same way. This approach would keep the changes to the standards to a minimum. Plus, it would only necessitate the development of formal QSA and merchant training for each of these technologies and how the effectiveness of various implementation options should be measured. The QSAs would wind up owning most of the problem, and the SSC could market how they are embracing the latest technological directions without doing a major rewrite to the DSS.
Another option is to modify the PCI standards by detailing a series of outsourcing options that would include virtual terminals (POS outsourcing), tokenization or end-to-end encryption. Logically, this approach could be written as an extension of 12.8, which focuses on service providers that handle credit card data. There may be other standards (such as 3.4 and 3.6) where encryption and key management assessment procedures would have to be modified to address the scenario where encryption keys are not retained by the merchant at all. The purpose of making such changes to the standards would be to clarify several scenarios where systems and procedures can be deemed “out of scope” for PCI compliance reviews. Again, the actual wording will have to give leeway for interpretation to the QSAs and self-assessors. But by presenting scenarios and testing procedures, the PCI SSC can more clearly show how these technologies are reducing PCI compliance scope.
The Bottom Line
There are a lot of different options for changing the PCI DSS that I didn’t address here, because it’s still pretty early in the process. But I do think it is important for companies to begin to discuss their plans now. I also think this report and its presentation at the SSC meeting are solid evidence that investments in these technologies are “safe” and that the SSC is not going to turn around and suggest they are invalid or non-compliant. As always, if you’d like to discuss this topic, just visit the PCI Knowledge Base and fill out our “Contact us” form, or send me an E-Mail at [email protected].