The news last week was that the Payment Card Industry Data Security Standard (PCI DSS) will be changing soon. In particular, a director from MasterCard was quoted at a conference:
this encryption requirement is causing so much trouble for merchants that credit card companies are having trouble dealing with requests for alternative measures, he said. In response, changes to PCI will let companies replace encryption with other types of security technology, such as additional firewalls and access controls, Maxwell said. ‘There will be more-acceptable compensating and mitigating controls,’ he said.
This quote appears to suggest that there will be a significant alteration of the encryption requirement, section 3.4, which today reads:
Render sensitive cardholder data unreadable anywhere it is stored, (including data on portable media, in logs, and data received from or stored by wireless networks) by using any of the following approaches:
– One-way hashes (hashed indexes) such as SHA-1
– Truncation
– Index tokens and PADs, with the PADs being securely stored
– Strong cryptography, such as Triple-DES 128-bit or AES 256-bit with associated key management processes and procedures. The MINIMUM account information that needs to be rendered unreadable is the payment card account number.
However, Visa has communicated that they did not agree to change this requirement and has reiterated that there are already multiple ways that are acceptable to render cardholder data unreadable. Compensating controls for encryption of stored data will be included in an appendix in the next version of the PCI DSS, but it is important to note that compensating controls are only allowed for short-term and they must still sufficiently mitigate the risk associated with the PCI requirement with the same/better preventive force as the original requirement.
The planned changes to the PCI DSS are actually fairly minor, intended to clarify the existing requirements, and not less stringent.