Risk

7/1/2015
04:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

PCI Update Paves Way For Expanding Point-to-Point Encryption

Move appears designed mainly for large organizations and big-box retailers looking to lock down payment card security.

The PCI Security Standards Council, which administers the payment card industry data security standard, has made it easier for large merchants to implement point-to-point encryption (P2PE) for protecting cardholder data.

The Council this week updated its requirements to give merchants more choice and flexibility in the components they use for point-to point encryption. One of the key features in the Council’s new P2PE Version 2.0 is a provision that allows covered entities to implement and manage their own encryption tools at their point of sale systems so long as the tools are compliant with PCI requirements.

Another update gives encryption vendors and service providers more leeway in the components that they use to deploy P2PE at customer locations. Going forward, the Council will also list approved encryption components and services that organizations can use to encrypt their data.

The updates are deigned to help organizations better protect cardholder data against compromise at the point of sale, PCI Council chief technology officer Troy Leach in a statement announcing the update. “Malware that captures and steals data at the point-of-sale continues to threaten businesses and their ability to protect consumers’ payment information,” Leach said. Encrypting the data makes it valueless for attackers, he said.

The goal with P2PE is to protect cardholder data from the instant it is swiped at a POS terminal all the way through to the card processing company’s network. Unlike end-to-end encryption, P2PE works by encrypting data right at the point of acceptance. The goal is to make it harder for attackers to steal card data using POS malware tools like BlackPOS, Dexter, vSkimmer, and Backoff. Such tools typically work by capturing card data from the retail terminal, before it can be encrypted.

Version 2.0 of the PCI Council’s P2PE requirements should simply the steps that large merchants need to work through to encrypt cardholder data at the POS terminals, says Jim Huguelet, principal at The Huguelet Group LLC.

“Many merchants have come to realize that the EMV standard does not involve encrypting cardholder data, leaving that data as much at risk to theft as it is today,” Huguelet said.

EMV cards, or cards that are based on the Europay MasterCard Visa standard, store cardholder data in a tiny microchip embedded in the card and not on magnetic stripes like most cards in the U.S. currently do. The major credit card associations require all organizations that accept credit card transactions to implement point of sale terminals that are capable of accepting EMV card transaction. The deadline for that migration is this October of this year, but many believe that a vast majority of companies won’t be ready in time for the deadline.

With various reports now estimating that only 60 percent of US credit and debit cards will be reissued with EMV chips and less than 10 percent of merchants will be able to accept them by the October 2015 deadline, organizations are coming to terms with the fact that widespread EMV adoption will easily go into 2017 and perhaps longer, Huguelet says.

“With the many delays the US is encountering in deploying EMV, merchants are looking to make their payment processing environments more secure as quickly as they can and deploying encryption is the clear way to do so,” he says.

Gartner analyst Avivah Litan says the Council’s move to update its encryption requirements appears designed mostly at very large organizations.

“My initial reaction is that this is intended to benefit large merchants who want to implement their own P2PE systems,” Litan says. “I’m guessing this update is a result of some special lobbying by a handful of large big box retailers who have their own in-house capabilities."

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Some Guy
50%
50%
Some Guy,
User Rank: Strategist
7/2/2015 | 2:47:41 PM
It's an Arms Race .. How you can help
We can decry the inevitability of attacks, but what we can't do is accept that as the norm. It's an Arms Race; the next step is here; waiting to do nothing until a perfect solution presents itself is to commit a nirvana fallacy.

Here's where YOU can make a difference. On November 1st, if your credit card hasn't been updated to PIN & Chip (EMV) technology, vote with your pocketbook and move your credit so somewhere that does.
iNtHEmACHINE
50%
50%
iNtHEmACHINE,
User Rank: Apprentice
7/2/2015 | 12:16:09 PM
Re: Okay but...
"Low hanging fruit is the name of the game with hackers that are trying to make money from it."

Low hanging or stumbled apon is where the huge hacks have been, but money is the name of the game even if it's just a Nigerian scam or a few million numbers with expiration dates. Easy money is better, but money is money. If it's MY money I expect it to be secured.

"Good security only really attracts the security curious out there"

And making it harder does make it harder. What is security curious? <heh>

 
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
7/2/2015 | 5:00:04 AM
Re: Okay but...
I know what you mean. It can make you feel a bit dispondent about security with how easy it often seems to bypass it. As long as it's difficult though, it should be relatively safe. Low hanging fruit is the name of the game with hackers that are trying to make money from it. Good security only really attracts the security curious out there. 
Blog Voyage
100%
0%
Blog Voyage,
User Rank: Strategist
7/2/2015 | 2:52:40 AM
Okay but...
"The goal is to make it harder for attackers to steal card data using POS malware tools like BlackPOS, Dexter, vSkimmer, and Backoff." Sure it will help, but hackers always have an advantage.
New Bluetooth Hack Affects Millions of Vehicles
Dark Reading Staff 11/16/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19406
PUBLISHED: 2018-11-21
kvm_pv_send_ipi in arch/x86/kvm/lapic.c in the Linux kernel through 4.19.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where the apic map is uninitialized.
CVE-2018-19407
PUBLISHED: 2018-11-21
The vcpu_scan_ioapic function in arch/x86/kvm/x86.c in the Linux kernel through 4.19.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized.
CVE-2018-19404
PUBLISHED: 2018-11-21
In YXcms 1.4.7, protected/apps/appmanage/controller/indexController.php allow remote authenticated Administrators to execute any PHP code by creating a ZIP archive containing a config.php file, hosting the .zip file at an external URL, and visiting index.php?r=appmanage/index/onlineinstall&amp;url= ...
CVE-2018-19387
PUBLISHED: 2018-11-20
format_cb_pane_tabs in format.c in tmux 2.7 through 2.8 might allow attackers to cause a denial of service (NULL Pointer Dereference and application crash) by arranging for a malloc failure.
CVE-2018-19388
PUBLISHED: 2018-11-20
FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read, access violation, and application crash) via TIFF data because of a ConvertToPDF_x86!ReleaseFXURLToHtml issue.