Posts from ‘PCI Security Standards Council Community Meeting’
Tokenization 101
I just returned from the PCI Security Standards Council . It was great to spend a couple of days talking tech and trends with other security experts.
The hottest trend this year in the payment security industry is “tokenization”. This technology lifts credit card numbers from sets of data and replaces them with unique one-way tokens (e.g., “234cew23”) in the data instead. The original credit card numbers are stored in a “secure token vault” and may only be retrieved by authorized people and processes who present another set of credentials (preferably two-factor credentials).
The reason businesses find tokenization compelling is because PCI requirements state that data sets with credit card numbers must be treated with more care than data sets without that information (e.g., just your name, expiration date, etc.). The higher degree of care often translates into full encryption, good key management, regular key rotation and a host of other security controls. All these extra controls cost money, so if businesses can ratchet down the sensitivity of their data with tokenization, they can enjoy cost savings by not having to implement (or audit) other security controls.
Anyone buying in at this stage would be an early adopter: the Council has not yet endorsed the use of this technology. However, the Council has formed a working group to come up with specific guidance (e.g., are hashes OK, if so, which ones, are unique IDs OK, etc.), so some level of future acceptance seems likely. So far the working group has only provided a definition of the technology (essentially, the one I provided above). However, a draft recommendation from the Council with specifics is expected around the new year.
Today, the PCI Security Standards Council announced several changes to the PCI DSS standard that directly apply to file transfer applications. These include:
- Adding references to SSH as as a secure protocol (SSL/TLS was already mentioned).
Explicit consideration of virtual machines and virtualization hypervisors as “in scope” during PCI audits. (As predicted by my March blog post.)- Changing key rotation requirements from “at least annually” to “based on industry best practices and guidelines”
- Splitting some identity and authentication requirements for users, “non-consumers” and administrators.
- Increasing the importance of security around accurate timekeeping, especially as it pertains to audit logs. (Coordinated and reliable timestamps are helpful during civil and criminal investigations as well as internal forensics investigations.)
The council also gave notice that a process to classify and rank vulnerabilities by risk valuations (e.g., value of asset times exposure) would be required by June 30, 2012 – details to come later.
These changes were among the many announced by Technical Working Group Chairperson Emma Sutcliff during the general sessions at the PCI Council Community Meeting in Orlando, Florida. Complete written lists of all changes and full copies of the proposed v.2.0 PCI DSS standard were also shared with all PCI Council Community members, including Ipswitch and approximately fifty of Ipswitch’s customers in attendance at the conference.
In the next few weeks these documents will be finalized and released and implementation of the PCI DSS v.2.0 standard will begin with Reports of Compliance (“ROCs”) filed on or January 1, 2011. Additional PCI Council draft documents on emerging technologies are also expected by October 5 of this year (and periodically after that); as these become available I will continue to share what I can about them with the wider file transfer community.
Tonight I’m blogging from the PCI Council Community Meeting here in Orlando, FL. Tomorrow we’ll be talking about the new changes in version 2.0 of the PCI DSS audit requirements (set to go into effect in 2011), but tonight was the welcome reception for the 1000 attendees here at the Buena Vista Palace Hotel.
Participation in the PCI Council Community Meeting conference is on the rise. Two years ago there were about 500 attendees from 300 participating organizations – now the numbers have roughly doubled. There are probably two major factors behind this.
One factor is the de facto status of PCI DSS as one of the gold standards of information security. When five competing credit card companies came together in 2004 to publicly agree on a single security standard there was much rejoicing throughout the industry. And the standard has held up: though major releases have come every two years, the original twelve categories and most of the subcategories remain essentially unchanged from the original.
The second factor is the ever-widening circle of companies that fall under the scope of PCI compliance. Originally it was large credit card processors and retailers, but in recent years even companies that only handle a few dozen credit card transactions a year have had to take notice. And as the scope widens, there are more people who want their voices to be heard in the decision-making process, which is where this week’s conference comes in.
I’ll be posting a few more items about this conference in next few days – please stay tuned.
Ipswitch’s Jonathan Lampe will be attending this week’s PCI Security Standards Council Community Meeting in Orlando, FL. He’ll be blogging from the event to keep us updated on discussions about the new PCI DSS 2.0 and other key Council initiatives.
As part of their ongoing mission, The PCI Security Standards Council enhances and evolves the PCI Data Security Standards as needed to ensure that the standard includes any new or modified requirements necessary to mitigate emerging payment security risks, while continuing to foster wide-scale adoption. We anticipate some very interesting forum conversations to review and discuss how the PCI DSS should evolve with this next release.
In the meantime, thought you’d want to watch this great video from the PCI Security Standards Council website. BTW, the bearded singer is Bob Russo, the PCI Council’s General Manager. Great job with the video Bob!
