Thales Blog

PCI Security Standards Council Provides Updates On Encryption And Scope Reduction

September 19, 2016

pci-dss-encryption-and-scope-reduction-update-2The reality is that many business leaders won’t do the right thing in terms of investing in security. At least not until they’re in some way coerced or forced into it. The headlines will keep appearing, detailing how consumer data continues to be exposed because some of the most basic safeguards weren’t employed. Just to be clear, I’m not saying that security is easy. There are a lot of sophisticated cyber adversaries and significant threats that are very difficult to combat. What I am saying is that many organizations make it too easy for attackers.  Even when an organization’s leadership is educated on the staggering costs associated with breaches, it doesn’t always compel them to meaningful action. Too often, the big investment in security, what’s seen as insurance, is put off or deprioritized.

Click to Tweet: Recent updates on #Encryption and Scope Reduction for #PCIDSS @chrvles

This has been true for some time, but I think it’s been improving in recent years—and I’d give a lot of credit to the PCI Security Standards Council for that progress.  Perhaps more than any other entity, the council has been a very powerful force for change in security.

Extolling the Virtues of PCI

The PCI Security Standards Council, is one of the most dynamic and tech-savvy regulation bodies. In part, what the PCI Security Standards Council has done has helped to change the economic equation for security investments. Beyond the specter of penalties that breaches inflict on any business, the PCI Security Standards Council adds the potential for significant fines. Even more importantly, repeat offenders can potentially be hit with increased transaction fees and even termination from a payment brand’s program. If organizations want to continue to play their part in the modern payments ecosystem, they simply have to play by the rules.

Further, the impact of these standards extends beyond the payments industry. Because it offers best practices for securing sensitive data, the standard is applicable to companies in any industry. I’d argue the PCI Security Standards Council has been a key reason why the use of encryption and tokenization has grown so significantly over the past couple of years.  However, the organization doesn’t rest on its laurels. The PCI Security Standards Council continues to augment its guidance and enhance its resources, they are always looking for ways to offer organizations more flexibility in how they achieve compliance, without diminishing the standard’s effectiveness.

Security is the Endgame

While compliance is a clear requirement, ultimately security needs to be the objective. When you think of the scope of organizations affected by PCI standards—retailers, banks, processors, payment service providers, hardware manufacturers, and more—the PCI Security Standards Council does an amazing job of delivering well thought out, detailed guidelines and requirements. That said, this one standard simply can’t be uniformly applied across every organization. Each business’ risks, technological environments, budgets, business processes, and more will vary substantially, and so must the safeguards employed.

Recent Updates from PCI on Encryption

I was again reminded of the caliber of the PCI Security Standards Council when reading some recent updates from the organization. Among the many resources put out by the council, there is an extensive array of FAQs provided. The council recently published answers for two questions related to encryption and reduction of PCI DSS scope. The first questions is, How does encrypted cardholder data impact PCI DSS scope? Following is the summary of the FAQ’s answer:

“Where a third party receives and/or stores only data encrypted by another entity, and where they do not have the ability to decrypt the data, the third party may be able to consider the encrypted data out of scope if certain conditions are met.”

In summary, the FAQ says that if you have strong practices of separating the encryption keys from the encrypted data, you can significantly reduce your PCI audit scope with encryption.  This is particularly important when working with third parties, such as cloud and service providers.  This is elaborated upon in a recent addition to the FAQ: How does encrypted cardholder data impact PCI DSS scope for third-party service providers?

Again, the answer will be very much dependent upon who has control of the encryption keys.  Effectively, the rule says that, if an organization leverages encryption and ensures the service provider doesn’t have access to keys, that provider “may be considered the same as a public or untrusted network.” The sender or recipient of the cardholder data would need to be compliant, but not the service provider acting as an intermediary.

Tokenization Guidelines and Format Preserving Encryption (FPE)

Finally, the PCI Security Standards Council has also provided detailed tokenization guidelines and a press release on the topic of tokenization. These resources provide some useful insights and updates on how to consider using reversible (such as FPE based) and irreversible tokens.  I will be blogging more on this topic soon.

When it comes to reducing PCI DSS scope and meeting council requirements, many of our customers are pursuing the use of tokenization and format preserving encryption. Be sure to check out our Vormetric Vaultless Tokenization with Dynamic Data Masking solution page.


Ultimately, no matter where your organization fits in the payments ecosystem, it’s critical to work with vendors, service providers, and QSAs that have a lot of expertise in validating compliance with PCI DSS and individual payment brand programs. These expert partners can help provide detailed guidance for addressing PCI as part of a holistic security approach in your specific organization.