Saturday, April 24, 2010

New version of PCI DSS

When I began to write this I realized that I have not blogged about PCI and all the intricacies of it, I will visit this topic soon.


The PCI DSS would very soon be version 3.0, so what are the changes we can expect? Storefrontbacktalk published an article on the coming changes, some of the changes are:

  • Searching For Cardholder Data. This will require merchants to search for cardholder data on all their networks and systems, it does not have to be in an automated fashion, which may cost a lot but a formal and repeatable manual process.
  • One-Way Hashing Of PANs. This will require merchants to use either truncation (deleting all but the first six digits and last four digits) or a secure one-way hash that cannot be reversed.
  • Tokenization and End-to-End Encryption. PCI council is expected to produce position papers that provide clarifications and guidance on a range of emerging technologies like tokenization and End-to-End Encryption. If you are interested in what tokenization and end-to-end encryption is before these come out, read on.
By employing tokenization, you are essentially replacing the actual card value with a randomly generated number. Obviously, one should not be able to derive the card data from the token value.

End-to-End encryption ensures that all data in transit from the source where the card data originates to the destination where the card data gets stored is encrypted. This may mean all the way from the merchant's POS machine to the server at the processing authority or till where merchant's perimeter (or for that matter merchant's liability) ends.

1 comment:

Rafal Los said...

Hi - you left a comment on my blog that you wanted my slides and to get more info - but you didn't leave any contact info!

Email me directly at RafalQHPXcom please. (Q = @, X = .)

Please don't publish...