PCI Security Standards Council releases supplemental Guidance on EMV and point-to-point encryption

Aimed at providing the market with greater clarity on how specific technologies relate to the PCI Security Standards and impact PCI DSS compliance, these papers are the first in a series of guidance documents the Council has committed to delivering as part of its ongoing assessment of emerging technologies.

The guidance seeks to help the merchant community understand how these technologies help define or reshape the cardholder data environment, evaluate the impact of these technologies on PCI DSS compliance efforts as well as identify future potential for P2PE and EMV technologies.

Titled „PCI DSS Applicability in an EMV Environment? and „Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance,? the whitepapers are products of collaborative initiatives led by the Council?s Technical Working Group (TWG) and Special Interest Groups (SIGs) in conjunction with the Council?s constituents and industry experts including cryptographers, forensic investigators, standards bodies, PIN Transaction Security (PTS) labs, Qualified Security Assessors (QSAs) and vendors.

While EMV can substantially reduce fraud in card present transactions, the EMV guidance paper advises adopters that it does not automatically satisfy all PCI DSS requirements for the protection of cardholder and sensitive authentication data. In EMV environments, EMV technology and PCI DSS together provide the greatest level of security for cardholder data throughout the transaction process.

Currently no global standardization of point-to-point encryption technology or validation of its implementation exists in the industry. However by providing this new guidance on P2PE, the Council has taken the first step by definitively stating that P2PE may simplify PCI DSS compliance by reducing the scope of the cardholder data environment.

In identifying the environments that still require the security protection of the PCI DSS, the guidance determines that P2PE solutions do not eliminate the need to maintain PCI DSS compliance for specific systems. It also recognizes the need for a set of criteria to validate the effectiveness of P2PE solutions so that merchants can have confidence that the solution they deploy properly secures cardholder data, which the Council plans to develop and release in 2011.

The PCI Security Standards Council (PCI SSC) provides management of the Payment Card Industry Data Security Standard (PCI DSS), PIN Transaction Security (PTS) requirements and the Payment Application Data Security Standard (PA-DSS).