QSAs Look For PCI Guidance On Encryption, Tokenization

A large number of Qualified Security Assessors (QSAs) believe that tokenization is the emerging data protection technology the PCI DSS Security Standards Council (PCI SSC) is most likely to address in the organization's October 2010 update. That's according to a new survey by the Ponemon Institute: PCI DSS Trends 2010: QSA Business Report. The institute surveyed 155 QSAs. The report was commissioned by Thales e-Security. QSAs are the organizations responsible for policing the PCI Data Security Standard. The largest number of respondents--41 percent--identified tokenization among four technologies that can be used to protect data and reduce the cost of compliance.

Tokenization has been a hot-button issue for PCI compliance; it relieves merchants of the need to keep credit card numbers on file and protect them. The technology substitutes a token, a dummy value linked to the card number, for transactions. A merchant can outsource this type of payment processing to a service provider--or develop the capability in-house. Tokenization is one of the options--along with encryption, available to fulfill PCI Requirement 3.4 to render card data unreadable.

Another 28 percent of QSAs thought the council would address end-to-end encryption, with the balance expecting to see guidance on the use of magnetic stripe information or virtual terminals, which removes credit card processing from POS. End-to-end encryption is another option that is drawing interest, encrypting data throughout its lifecycle, from the point of sale (POS) device, in transmission and at rest on the back end. Tokenization vs. end-to-end encryption sparked a lively vendor-on-vendor debate last year, between encryption vendor Voltage Security, which partnered with Heartland Payment Systems, and RSA, which partnered with First Data Corp., which combines RSA's token technology with encrypted storage on First Data's infrastructure.

"In both cases, sensitive data is still being stored in encrypted form, said Richard Moulds, Thales VP of Product Strategy. "The question is where encryption happens, but encryption is still part of the story. However, encryption has an Achilles Heel. QSAs are concerned that even if credit card data is encrypted, the requirement may or may not be fulfilled depending on key management and encryption methods. "Key management is the most difficult part of the encryption process," says Larry Ponemon, the institute's chairman and founder. "It can get really sloppy; if key management is not effective and doesn't meet the business needs of an organization, the whole process of encryption falls apart. You can lose data permanently or just grant too much access, making it too easy for people to see the good stuff."

QSA audits are expensive, especially for Level 1 merchants, which pay an average of $225,000 for an annual assessment, according to the survey. Tier 2 merchants, which are permitted to perform self-assessments and therefore are not required to undergo QSA audits, nevertheless pay an average $103,000 annually when they choose to do so.