By Elizabeth Whitney, Technical Writer
Accudata Systems’ Senior Technology Manager Josh Berry recently attended the 2015 North America Community Meeting of the Payment Card Industry (PCI) Security Standards Council (SSC) in Vancouver. This year’s theme – Educate, Empower, Protect – was focused on the power of collaboration to counter what the bad guys are already doing: sharing information and growing as a community.
I sat down with Berry, a Qualified Security Assessor (QSA), to learn the highlights of his trip to Vancouver:
- Updated Point-to-Point Encryption (P2PE) payment application and solution requirements: In order to make the standard simpler to understand, the PCI SSC has released updated requirements for validated P2PE solutions, which, Berry said, will drive interest from P2PE application developers to have their solutions validated. P2PE applications encrypt payment card data for transit, rendering the data less valuable if stolen in a breach. Having more validated options is good news for merchants for whom PCI scope reduction can often be a gray area. According to Berry, having more validated options will enhance adoption of P2PE solutions, effectively simplifying compliance efforts through scope reduction. One meeting session, in particular, helped illustrate the value of P2PE technologies: Caesars Entertainment, a large hospitality organization that processes payments in a complex environment, detailed their multi-year project to implement P2PE at nearly 40 locations across over a dozen states.
- Enhanced Point-of-Sale (POS) vendor-supplied guides for security and compliance: The PCI SSC have also released updated requirements for POS vendors to supply more rigorous Payment Application (PA) Data Security Standard (DSS) implementation guides. Clearer, more specific and far-reaching requirements will lead to more usable guides and more streamlined, less-costly compliance efforts. This is an especially welcome development for QSAs and merchants alike: more detailed and specific guides will help merchants implement the POS applications in a compliant manner, and they will help QSAs evaluate the merchant implementation to validate compliance more efficiently. And, as Berry pointed out, “customers will simply know they can expect better guides to ensure their payment applications are implemented securely.”
- Working towards a more risk-based approach to PCI compliance: Perhaps the most exciting development of the meeting, according to Berry, was the importance placed on developing a risk-based approach to compliance. “Simply put,” Berry said, “considering risk means being better able to allocate resources.” While the PCI SSC did not provide details, transitioning to this approach will enable a more informed understanding of the risks that are most often associated with major breaches, which can lead to being better able to prioritize compliance activities, effectively increasing a merchant’s return on investment in compliant technologies and, ultimately, making cardholder data more secure.
This is where collaboration becomes key: merchants, vendors, acquirers, associations, and issuers all have a role to play in securing cardholder data and helping to frame the compliance standards that the SSC develops. A diversity of perspectives all focused on risk, combined with more reliable information and increased adoption, means more secure data.