Encryption & Key Management , Security Operations

PCI: New Guidance for EMV, Encryption

PCI Council Issues Recommendations for Emerging Tech
PCI: New Guidance for EMV, Encryption
The Payment Card Industry Security Standards Council Tuesday officially released guidance on emerging technologies, including the Europay, MasterCard, Visa standard and point-to-point encryption. The council discussed the guidance in late September, during its North American Community Meeting.

The council's approach with regard to emerging technologies:

  • To provide ongoing assessments of emerging technologies and their impact on payment card security;
  • To offer recommendations on the use of specific technologies in relation to the Payment Card Industry Data Security Standard.

In a nutshell, the council's guidance papers do not introduce new or additional requirements for compliance with PCI standards, nor do they serve as an endorsement of one technology, such as EMV, over another, a PCI spokesman says.

But the step toward guidance on emerging technology is a good one, most in the PCI community agree. Despite criticism for its lack of changes this year to the PCI-DSS and the Payment Application Data Security Standard, the Council's guidance on emerging technology is expected to help merchants and other payments players make more informed decisions about technology investments.

Jeremy King, head of the council's European arm, and Troy Leach, the council's chief standards architect, say EMV and point-to-point, or P2P, encryption are just two emerging technologies for which the council expects to release ongoing guidance. Guidance will evolve over time, Leach says.

"What are the domains that we need to determine are secure? And what does that roadmap look like going forward? These are things we are addressing," he says.

End-to-end or P2P encryption, Leach says, could simplify compliance with the PCI DSS. "We plan to educate our stakeholders, but it's going to require the involvement of special interest groups," he says. "I think if we form the right partnerships, we form the right teams, we can make valuable changes in this area."

The council is expected on Oct. 28 to release official clarifications for the PCI DSS, but the clarifications do not include new requirements. In August, the council released a brief summary of expected changes to the standard. "We're going into our third generation on a lot of the standards, and we're trying to do a better job to make sure each (standard) has its own specs," King says.

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.