Encryption, tokenisation to shape future PCI compliance

The next version of the PCI DSS standard for securing credit card data is likely to require or strongly urge merchants to invest in tokenisation, encryption and dynamic authentication, according to two of the council’s most senior members.

Troy Leach, CTO, PCI Council.

At the sidelines of the PCI Security Standards Council community meeting in Sydney this week, the council’s CTO Troy Leach and international director Jeremy King were asked how the payments industry needed to respond to a string of data security breaches that have stung some of the world’s largest retailers.

Attacks on Target, Kmart, Home Depot, Staples, Neiman Marcus and Dairy Queen have brought the security practices of retailers into sharp focus and has led some analysts to argue that the bar for PCI compliance – as a baseline of IT security for those that hold credit card data - needs to be raised.

The breach at Target left 40 million cardholders vulnerable, while attacks on Home Depot’s systems exposed closer to 56 million cards, at huge cost to issuers. Trustwave, the PCI auditor of Target, was threatened with a lawsuit by affected issuers over the matter.

The breaches have put considerable pressure on the council that sets the Payments Card Industry Data Security Standard, which is made up of representatives of the major credit card schemes (American Express, Mastercard, Visa et al) and volunteers from within the financial services and retail industries.

The council's international director Jeremy King said that while the standard already protects against many of the problems surfaced in the attacks, several issues have been brought into clearer focus.

Firstly, that compliance shouldn’t be a one-off audit activity, but rather a part of doing business, and additionally, that PCI compliance "isn’t just about keeping the wrong guys out of the system".

“There are requirements and processes we are working on targeted at trying to identify that there is someone in your system that shouldn’t be there,” King said.

He recommended the centralising of logging systems, so security administrators can detect unorthodox movements of data or transactions inside their networks.

“If you can identify that anomaly, and reduce the time [attackers] are inside your systems, the impact will likely be lessened."

The council’s CTO Troy Leach noted that signature-based security tools struggle to identify the zero day exploits that so often provide attackers unauthorised systems access. And even when they do, merchant approaches to incident response have shown to be sorely lacking.

In several of the attacks on retailers, “the security team was notified before it became a problem".

“So they had the right monitoring software in place to detect this, but they didn’t have the right response mechanism for it,” Leach said.

Encryption and tokenisation

The council is looking into how the use of encryption and tokenisation might play a part in future updates to the standard.

It is now all but accepted that attackers will get access to credit card data – the next strategy is to strip stolen data of value.

“Criminals are attacking because there is value,” Leach said. “The key question now is - what can we do to make payment card data dynamic so it has no resale value for a criminal?”

The PCI standard today recommends the encryption of cardholder data when it is transferred across open, public networks. Leach hinted that requirement might extend further in the future.

Where encryption isn’t practical, tokenisation might be a useful alternative, he noted. Tokenisation swaps out sensitive data for a ‘token’ substitute which only the approved owner or user of the data can readily translate.

“Using tokenisation – a criminal might steal what looks like an account number, only to find it’s not something they can sell on the black market,” Leach said.

“That’s where we’ll need to focus more heavily. We need to create dynamic data that has no value to the criminals, so that even if a large merchant loses seven million tokens, there is no loss to the merchant or consumer.”

Tokenisation will also ensure that the data a merchant stores on its computer systems won’t be much of a prize for malware writers.

“One thing that’s come into clear focus because of these breaches is that it wasn’t necessarily about an attack on a point of sale terminal, but rather the back office computers that were part of the broader PoS system and running unpatched, outdated software,” Leach said.

Should the merchant download a data set to a computer infected with malware, the use of tokenisation means it won’t necessarily expose cardholder data to a criminal. 

Mobile payments

King said tokenisation and dynamic authentication will become key issues in Australia as magnetic stripe cards are replaced with chip and pin.

He expects that like the UK has experienced previously, the change will reduce face-to-face fraud, and shift more of the fraud to the card-not-present space.

Future versions of the standard will also have to consider the evolving use of mobile networks for completing transactions.

“The focus of the mobile telcos has been on connecting calls and passing lots of information,” King said. “It’s not been about payments and data security.

“New technology has brought new people into the payments space that don’t have any experience in data security. We have to train up a whole new group of people about why data security is important." 

That’s been difficult to date, Leach noted, as every major technology company, retailer and bank are desperately trying to win their place in the mobile payments ecosystem.

“Its hard to get a standard around mobile payments because it's evolving so quickly,” he said.

Read on to learn about the more immediate changes to the PCI standard…