November 21, 2024

PCI Security Standards Council Releases Tokenization Product Guidelines

Posted on April 3, 2015 by in Security

The PCI Security Standards Council announced on Thursday the availability of guidelines designed to help organizations develop tokenization products.

Tokenization is the process in which sensitive information, such as payment card data, is replaced with a randomly generated unique token or symbol. Tokenization products, which can be software applications, hardware devices or service offerings, can help merchants reduce the risk of having their customers’ financial information stolen by malicious actors.

“Tokenization is one way organizations can limit the locations of cardholder data (CHD). A smaller subset of systems to protect should improve the focus and overall security of those systems, and better security will lead to simpler compliance efforts,” explained PCI SSC Chief Technology Officer Troy Leach.

There are several challenges to implementing tokenization, but reliable solutions already exist and representatives of the merchant community believe this could be an efficient approach to preventing payment card fraud and identity theft.

The Tokenization Product Security Guidelines released by the PCI Council have been developed in collaboration with a dedicated industry taskforce. The report focuses on the generation of tokens, using and storing tokens, and the implementation of solutions that address potential attack vectors against each component. The document also contains a classification of tokens and their use cases.

The recommendations in the guidelines are addressed to tokenization solution and product vendors, tokenization product evaluators, and organizations that want to develop, acquire or use tokenization products and solutions.

“Minimizing the storage of card data is a critical next step in improving the security of payments. And tokenization does just that,” said PCI SSC General Manager Stephen Orfei. “At the Council, we are excited about the recent advancements in this space. Helping merchants take advantage of tokenization, point-to-point encryption (P2PE) and EMV chip technologies as part of a layered security approach in current and emerging payment channels has been a big focus at this week’s PCI Acquirer Forum.”

The PCI Council has pointed out that the guidelines are supplemental and they don’t supercede or replace any of the requirements detailed in the PCI Data Security Standard (PCI DSS).

PCI DSS 3.0, which focuses on security instead of compliance, went into effect on January 1. Version 3.1 of the PCI DSS, expected to be released this month, targets the SSL (Secure Sockets Layer) protocol. Organizations must ensure that they or their service providers don’t use the old protocol.

Last week, the PCI Council published new guidance to help organizations conduct penetration testing, which is considered a critical component of the PCI DSS.

The Tokenization Product Security Guidelines are available for download in PDF format.

Subscribe to the SecurityWeek Email Briefing

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

PCI Security Standards Council Publishes Guide for Securing Terminal Software

Posted on December 16, 2014 by in Security

The PCI Security Standards Council (PCI SSC) published guidance today on the secure development and maintenance of software designed to run on point-of-interaction (POI) devices.  

POI devices are hardware or software components in point-of-sale equipment that allow a consumer to use a credit card to make a purchase, such as a PIN pad. According to the PCI SSC, the document is intended to address software that exists on POI devices, including payment and non-payment applications, and reinforce the importance of a layered approach to security.

“The goal of this document is to ensure that all organizations responsible for software development (and device management) understand the potential threats, and employ appropriate processes throughout the development life cycle to counter those threats,” according to the document. “The processes followed will depend on the organization, the type of application being developed, and the software languages used, but the principles remain the same.”

The document is meant to help organizations – including POI device vendors – that write or implement applications within a POI device understand the threats and counter them throughout the development lifecycle, according to the PCI SSC. It also comes at a time when cybercriminals have increasingly been paying attention to point-of-sale devices and targeting both retailers as well as vendors of point-of-sale devices (PoS). 

“Criminals are looking at every aspect of a payment transaction to find ways for data exfiltration,” said PCI SSC Chief Technology Officer Troy Leach, in a statement. “While consumers and merchants alike benefit from additional features, complexity and increasing dependency on third-party applications can create new opportunities for exploit which is why due diligence is so vital in the development of software that terminals rely upon. This paper highlights important best practices for software coding in this unique environment.”

According to the PCI SSC, organizations can use this guidance to help ensure standard secure coding practices are followed, including:

Security awareness training that supports secure software development:

• Those involved in the development process (including software developers and peer reviewers), have important roles to play in developing software to ensure secure coding practices are implemented and address current threats. Those roles need to be defined before development begins and those individuals need to be trained and understand the secure software development program.

Secure software development lifecycle:

• Organizations need to have a software security roadmap defined before development begins that will address known threats. The software needs to be mapped and documented, and rules and processes defined so that security is implemented as part of the development process and not incorporated as an afterthought.

Device-level testing:

• It is imperative to understand how the application will work when used with the hardware, firmware, and other applications that it is intended for use with. While simulators and unit testing are essential, testing the device with the complete solution should be a priority.

Internal process reviews:

• The threat environment is constantly evolving which is why organizations need to stay current on the latest threats and changes to ensure the procedures in place are still sufficient and are actually being followed.

Michael Belton, team lead of assessment services at Rapid7, said that for an average retailer, performing hardware and software security testing on a product they purchased is cost-prohibitive.

“Security awareness training for developers, along with secure software development lifecycle practices, help ensure consistency across developers working on an application,” he said. “This consistency in security design and expectations means applications are released with fewer bugs that can be exploited. Penetration testers encounter issues related to security lifecycle practices every time they perform an assessment. These two items are perhaps the most critical challenges towards creating software that operates in a secure and predictable manner.”

The document can be read here.

Subscribe to the SecurityWeek Email Briefing

view counter

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed