In order to make compliance with PCI DSS requirement 3, “Protect stored cardholder” data and requirement 4, “Encrypt transmission of cardholder data across open, public networks” easier, merchants around the world have been reaching for end-to-end encryption solutions.
But how do you know if you are using a “good” end-to-end encryption solution (or point to point encryption – P2PE as PCI SSC calls it)? Many suppliers are of course reputable companies, but today there is guidance but there are no standards on what constitutes good practice for encrypting payment transaction data. Readers from outside the industry may be surprised to know that the PIN is in fact the only data for which standards on how to protect it using encryption exist.
Well, that will change when a new ASC X9 standard comes to fruition...
The new standard, X9.119, defines the requirements for protecting sensitive payment card data when using encryption methods. Faced with no clear definitions today, people responsible for protecting transactions may inadvertently pick solutions that do not protect the right data, don’t protect it adequately, or use questionable encryption algorithms with poor protection of encryption keys. Alternatively, they may put off encryption, protect nothing, and risk a PCI audit failure. The new standard is, if you like, a definition of the minimum security requirements to be used when encryption is used to protect sensitive payment card data.
I’ve written about X9.119 before in a post about POS standards, but not about the progress it is making.
Using the new standard, people will be able to clearly identify which cardholder data they need to protect and the details on how to protect it. It defines what categories of data there are (sensitive, non-sensitive) and says what must always be protected, what need never be protected, and what in combination does require protection. It will also be clear what algorithms must be used to encrypt data (such as triple DES or AES), and how encryption keys should be managed. It is also likely that as X9 requires the encryption of PINs to use a Hardware Security Module (HSM), X9.119 may also require the encryption of sensitive payment card data to use an HSM.
While ASC X9 is a US standards body, the influence of X9.119 is likely to stretch globally. Here’s how it might play out. The PCI SSC point to point encryption technology white paper identifies that, “Based on analysis of PCI DSS key management requirements and existing standards for PIN key management, PCI DSS will develop a key management standard [for P2PE]”. As existing standards for PIN key management come from ASC X9, it’s a fair bet that PCI SSC P2PE key management standards may reference the new X9.119 standard.
All this is good news for both vendors and for users. Vendors can provide solutions that support the new standard with the potential for future interoperability rather than using proprietary approaches, and users can be confident that selecting a solution that complies with X9.119 they are using proven, accepted methods to protect sensitive data, making compliance to a PCI audit much easier.