Michael Garvin is Lead Security Advisory Analyst at Symantec and Bryan Gillson is Senior Director of Product Marketing at Symantec.
As the data-breach threat landscape has evolved and attacks have become commoditized, companies have had to shift and evolve their security programs to protect against potentially damaging and expensive breaches. To help companies continue to protect themselves from myriad threats, the Payment Card Industry (PCI) Security Standards Council has evolved its security guidelines to enhance their clarity for companies that process cardholder data.
The PCI Security Standards Council is an open global forum, launched in 2006, that is responsible for the development, management, education, and awareness of the PCI Security Standards.
New PCI 2.0 Guidelines
PCI data security standards govern how businesses must protect cardholder data on their networks. According to a report by Verizon Business, compliance with PCI reduces a merchant’s likelihood of suffering a data breach by 50 percent . However, the report also found that only 22 percent of card-accepting merchants are PCI-compliant the first time they are audited.
New PCI 2.0 regulations were released on October 28, 2010, with the goal of further decreasing cyberattacks aimed at stealing massive amounts of payment card data. The PCI Security Standards Council developed the changes based on feedback they have received from companies and stakeholders in recent years.
Encryption is an important component of the data security standards because it is often viewed as a critical element of a company’s security program. Previously, regulations three and four of the PCI 1.0 data security standards addressed encryption. Regulation three required companies to define the elements they should be protecting and how they should be operating their program to ultimately protect cardholder data. Companies surveyed for the Verizon report said that this was one of three most difficult regulations to meet. Regulation four required companies to encrypt the transmission of cardholder data across open, public networks (e.g. email, instant messenger, etc).
Changes to Encryption Guidelines
In the new PCI 2.0 revisions, the PCI Security Standards Council made two changes to the existing regulations regarding encryption. The first change requires companies to focus on protecting cardholder primary account numbers (PANs). The rules around PANs were much looser in the past, but now the council is stating that the PAN is the one piece of information that must be protected. In addition to many other methods for protecting it, encryption is seen as a major approach.
The second change involves the frequency with which companies are required to change encryption keys. Companies were previously required to change encryption keys “at least annually.” In version 2.0, the council will say that this rule varies depending on the strength of the encryption. For example, if companies have a large key size, they may be able to change their keys less frequently than on an annual basis.
Encryption and State Data Breach Notification Laws
In addition to changes in the PCI 2.0 regulations, companies also have to comply with applicable state data breach notification laws, increasing the focus on data protection for any company that processes cardholder data and that operates or does business in more than one state. Current PCI regulations require companies to notify customers of a data breach regardless of whether the data was encrypted or not. Other states make allowances if data was encrypted, but some states do not require companies to disclose a breach at all if the data was encrypted. PCI fits into the state laws from the point of view that protecting information at its core is a good business practice.
As it stands today, 44 states in the U.S. have their own independent data-breach laws. Nevada and Minnesota have specifically adopted PCI as their standard for payment card information, while other states take a more ad hoc approach to data protection laws and data breach notification requirements. Alabama, Kentucky, New Mexico, and South Dakota do not have data breach notification laws. Additionally, some states set a minimum for the number of records compromised before a company has to disclose a breach, while others have strict regulations about protecting data and disclosing a breach.
PCI is a compliance standard, not a legal regulation; however, every company that accepts credit card data must comply with PCI regulations. Depending on where a company operates, it may also have to comply with state or county laws that supersede PCI.
The Case for Strong Encryption
With new PCI regulations and state laws regarding data protection and data breach notification changing every month, companies can improve their security posture by seeking higher levels of encryption to enhance the protection of sensitive cardholder data.
Beyond complying with PCI and state regulations, companies that seek stronger levels of encryption can prove to auditors and state officials that the company was making a good faith effort to protect data. This is because encryption is always viewed as a risk reduction mechanism. Companies that take the steps to encrypt data may avoid some of the penalties of a data breach, depending on by which laws they must abide.
In addition, increasing encryption strength can help companies drive down costs. When companies were required under PCI to change encryption keys every year, the labor required to comply was costly and time consuming. Under the new PCI 2.0 standards, companies that move to higher levels of encryption can reduce these costs.
Implementing encryption as part of a holistic enterprise security plan can aid companies in protecting sensitive cardholder data while at the same time helping companies meet the new PCI 2.0 regulations. Obtaining stronger encryption will only further improve a company’s ability to continue conducting business while navigating the regulations and laws governing the security of customer information.
Verizon Payment Card Industry Compliance Report, Verizon Business, Oct. 5, 2010.