The PCI SSC Community Meeting just concluded. I only attended one of the three days and that was enough for me. I fully admit I have a lot of nerd like tendencies, but apparently not enough to make a three day event on security exciting. To me, there were four highlights: the food did not kill anyone, the cocktail event was hosted, Bob Russo does a decent Elvis, and the Emerging Technologies session.
Highlights 1, 2 & 3, I'll just leave it at that. If you want more details, I urge you to attend the next community meeting.
The Emerging Technologies session had several points of interest but it left me wanting more. In a nutshell, PCI SSC contracted PricewaterhouseCoopers (PwC) to evaluate and create a report on emerging technologies and how they impact PCI. The summary given at this meeting was a 100,000 foot view of various emerging technologies – yes, 100,000 foot view, not the more common 50,000 foot view. While they made it a point that the report in no way endorsed any one technology and the report was not intended to rate the technologies, they did detail the four most popular technologies: End-to-End Encryption, Tokenization, Virtual Terminal, and Magnetic Swipe Authentication.
Magnetic Swipe Authentication technologies address card present fraud, but do not really address any PCI security or scoping issues so I'll skip that one. The other three; yeah and it's about time! While I don't agree with some details of the how they rated cost vs. reward vs. impact in different categories, I gave PwC a little leeway because they were bundling multiple vendor solutions into fairly broad categories.
The only category rating that really stuck out like a sore thumb was the business impact of end-to-end encryption vs. tokenization – they gave end-to-end a less business impact rating (more favorable) than tokenization. Shift4 provides solutions that straddle all three technologies (end-to-end, tokenization, and virtual terminal) and from experience, tokenization has far less impact to the business flow than end-to-end. Reason being, the merchant systems never have access to the card number. While security wise, this is a plus for end-to-end, business impact wise there are a lot of gotchas. One example is that many risk and customer loyalty systems use the card number (or more preferably, a hash of the card number) as a key to look up the customer. Stronger forms of encryption produce non-repeatable results when the same information is encrypted so this simple process of a customer lookup becomes problematic.
All in all, just the fact that the PCI SSC is seriously looking at these emerging technologies is promising whereas heretofore, they have always brushed this off as a risk/compliance judgment call for the acquiring banks. I can't wait to see what PCI SSC does with this information and I hope they publish the PwC report.
I will mention one note that I feel was a lowlight: Some of the questions in the Q & A sessions, I'm pretty sure, were asked in similar events three and four years ago. The root cause of the biggest areas of confusion stems from the gap between security and compliance. Bob Russo is the first to state the PCI SSC has nothing to do with "compliance" – instead, PCI is the keeper of the security standards. Yet the card brands dictate that PCI compliance is mandatory.
No comments:
Post a Comment