The PCI Security Standards Council has added Cryptomathic as a participating organization, indicating an enhanced focus on pioneering better methods of key management and encryption for payments.
Endorsed by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., the PCI Security Standards require merchants and service providers that store, process or transmit customer payment card data to adhere to information security controls and processes that ensure data protection—not just once a year, but as part of a business-as-usual security posture.
To enhance payment data security globally while embracing new technologies as they are developed, the Council relies on the involvement of those across the payments processing chain, from merchants and service providers to payment device manufacturers and software developers, financial institutions and processors.
Cryptomathic will add its voice to the standards-setting process, and will receive previews of drafts of standards and supporting materials in order to provide feedback to shape their final versions. PCI Security Standards include the Payment Card Industry Data Security Standard (PCI DSS), PIN Transaction Security (PTS) requirements and the Payment Application Data Security Standard (PA-DSS).
Cryptomathic will also be able to recommend new initiatives for consideration to the PCI Security Standards Council.
The move is interesting given that the PCI SSC released a special bulletin last year dropping the Secure Sockets Layer (SSL) protocol from its list of acceptable solutions for the protection of data based on the PCI SSC’s definition of “strong cryptography.”
Strong cryptography is generally understood to mean cryptography based on industry-tested and accepted algorithms, along with strong key lengths (minimum 112-bits of effective key strength) and proper key-management practices. The PCI SSC basically follows the guidelines for cryptographic algorithms, key-strength, and key management from the National Institute of Standards and Technology (NIST), which now prohibits the use of TLS 1.0, SSL 2.0, and SSL 3.0 to protect Federal information because of the reliance on cryptographic algorithms that are not approved.
The addition of a crypto-specialist to the ranks indicates a willingness to look at fresh approaches to the problem of encryption, especially considering that credit-card-related data breaches show no sign of slowing.
Guillaume Forget, director of product management at Cryptomathic, noted: “We have built our skills and knowledge in key management, crypto and EMV over many decades and have vast experience of helping financial organizations in their PCI implementation. Now, through greater participation in the Council, we look forward to contributing our expertise in designing secure software solutions more widely, to render PCI a business enabler, rather than a simple compliance exercise.”
Photo © wk1003mike