Payment Card Industry Data Security Standards expected to evolve based on continued data breaches
Thales and Ponemon Institute Reveal Research Study Identifying Key Areas and Predictions on Changes to Security Standards Enabling Auditors to Start to Prepare for October 2010 Announcement
Thales, leader in information systems and communications security, today announced the results of a research study about the upcoming version of the Payment Card Industry Data Security Standards (PCI DSS). This new set of standards is expected to be released in October 2010 by the PCI Security Standards Council. Based on surveys with 155 Qualified Security Assessors (QSAs), the following trends and key findings were identified:
Encryption is one of the most effective means for achieving compliance but questions arise on how to treat encrypted data in audits. It is believed that clarifications will be issued on the use of encryption and key management.
- 41% of those surveyed believed tokenization will be included in the update as the technology to use to increase cardholder data security and reduce cost of compliance.
- Tier 1 merchants are paying $122,000 more on average than Tier 2 merchants to do the same QSA assessments.
The Ponemon Institute, an information-management think tank, designed the survey to focus on identifying trends, recommendations and preferences of QSAs involved in PCI DSS compliance. Specifically, the survey questions focused on the background, experience, client observations, expected changes in PCI DSS, preferences on how to achieve compliance, and typical client recommendations. The results are available in this newly released report, sponsored by Thales entitled: PCI DSS Tends 2010: QSA Business Report. The report can be downloaded at www.thalesgroup.com/iss.
“Our research continues to validate that 60 percent of QSAs believe encryption to be the most effective means to protect card data end-to-end, and 41 percent of QSAs said that controlling access to encryption keys is the most difficult key management task faced by clients using encryption. It remains clear that QSAs consider encryption to be one the best techniques merchants can use to keep information safe and comply with PCI requirements. The current version of the standard, however, is ambiguous about how exactly encrypted data should be treated in audits, so QSAs seem to be confident that the October 2010 update to PCI DSS will provide clarity,” says Dr. Larry Ponemon, chairman and founder of The Ponemon Institute.
In addition to clarification about encryption and key management, the survey revealed that QSAs expect tokenization to be the new technology most likely included in the PCI DSS update. In 2009, The PCI Security Council commissioned a PricewaterhouseCoopers study to examine whether four emerging technologies showed potential to enhance data security and reduce compliance costs: tokenization, end-to-end encryption, virtual terminals and card management solutions. “41 percent of QSAs believe tokenization is the most likely of these technologies to be addressed in the PCI update, while 28 percent said end-to-end encryption is the most likely, 13 percent said virtual terminals and 9 percent said magnetic stripe imaging,” continued Ponemon. “Only 11 percent of QSAs believe that none of the technologies considered will be included in the PCI DSS updates.”
The research also revealed that on average, Tier 1 merchants pay about $122,000 more than Tier 2 merchants for QSA assessments. As uncovered in the previously issued QSA Insights Report, the average cost of an annual QSA audit—the fees paid to QSAs for assessment services—for Tier 1 merchants is about $225,000. The complete research results reveal that an annual assessment for Tier 2 merchants averages $103,000 and for Tier 1 service providers, such as large payment processors, the average cost of an annual on-site QSA assessment is $204,000.
“Complying with PCI DSS requirements is a great first step toward protecting cardholder information, but as new threats emerge and attacks become more sophisticated, it is important that PCI DSS and the technologies used to safeguard data evolve as well,” says Franck Greverie, Vice President for the information technology security activities of Thales“. By offering merchants insight into the new requirements likely to be included in the PCI DSS update and the current solutions in the marketplace to address these risks, this survey enables organizations to deploy the necessary technologies before the update is issued to give them a head start to enhance compliance efforts and, most importantly, better protect sensitive cardholder data.”