The PCI Council has just announced its guidelines on P2P encryption as they relate to PCI DSS compliance and scope. It is hoped by all concerned that these guidelines will simplify the process of achieving and maintaining compliance through a combination of improved security and scope reduction.
As expected these guidelines provide clarifications and no great surprises. However we must bear in mind that this is the first in a series of documents. It doesn’t cover tokenization, it doesn’t cover stored data and it doesn’t cover any specific expected requirements on the P2P encryption systems. All of these will come later. Since good security is something of a holistic exercise it’s likely that we’ll all have to wait for the balance of these documents to be released before we can sensibly take any action.
In fact, people looking for explicit guidance on P2PE or scope reduction will likely be a little disappointed today. This document does an excellent job of outlining risks and confirming the security stance of PCI-DSS but it does little to tell people what to do about it. Explicit guidance is due in 2011 with the publication of “Validation Requirements for Point-to-Point Encryption”.
However, there are a few exciting things to take away from this document.
Among the few clear requirements laid out in this document (and not pending the later one) are: “comprehensive cryptographic and key management systems”, “tamper resistance”, and “devices, key management practices, and encryption and decryption environments are independently validated”. While much of this concentrates on the POIs and data ingress, it seems likely that such good practice will also carry benefits in the backend processing environment. Independently validated tamper resistant FIPS-validated HSMs are therefore once again the ideal choice for securing data handling environments.
While it’s not clear exactly what the rules will be, the document does confirm that P2PE will help with scope reduction if the deployment is up to scratch. So while it very sensibly stops short of blessing any and every solution, people should be confident that best-of-breed solutions underpinned by validated hardware encryption and key management are likely to provide scoping benefits, along with the audit and compliance acceleration that they already do.
For now, encrypted data is (currently) still in scope, because “controls such as firewalls, user access controls, vulnerability management, scanning, logging and application security provide additional layers of security to prevent malicious users from gaining privileged access to networks or cardholder data that may grant them access to keys”. I’m all for defence-in-depth but this feels wrong to me, and rather inconsistent. Surely the data itself doesn’t need to be in scope, only the systems that provide access to the decryption facility. This subject is set to be addressed in the validation requirements, and there is a good chance that the position will change.
So even though we have to wait for Validation Requirements for Point-to-Point encryption for full details, it’s clear that Point-to-Point encryption, underpinned by quality physical security modules and key management, is a crucial and valuable part of the PCI-DSS compliance landscape.