The PCI that loved me

Jonathan Lampe exposes the hidden connections and game in card security

A kind of Kremlinology is in the blood of the IT channel. A modest change in a competitor’s website, a puzzling hire, a change in a LinkedIn profile, or news of a hitherto favoured sales director being sent to Siberia may become juicy topics of channel gossip and serious clues for lifting one's game.

Although I may have exaggerated the Siberia thing somewhat, it increasingly does pay to anticipate what’s going on among your competitors and prospects, customers, industry regulators and external auditors.

A case in point that has generated big wins for channel players in the past is the PCI Data Security Standard (DSS). The best thing about it is that it is updated every three years. Prospects – including just about anyone who can take a card payment – have to comply, or risk getting barred from taking card payments at the very least. No one can really afford not to buy into the technology set-up demanded by the latest standard. However, pretty much everyone is dismayed by the costs of doing so.

Anyone who ran card data through a virtualised environment was ostensibly breaking Rule 2 of the card standard: one application per server. Few big players were whiter than white. Can we really, honestly believe that none of the big retailers run virtualised datacentres?

They and their technology suppliers are smarter than that. The benefits outweigh the costs – and they judged that the PCI Council could not sustain the position that no one had virtualised the servers. By all means, innovate around data security – but it’s at your own risk.

PCI behind the iron curtain
Standards setters on the PCI Council are manifestly not about patting specific security technologies on the back, getting analysts to dub them "best practice", and persuading the entire reseller community to buy them.

Nevertheless, it doesn’t take the IT equivalent of Dr Strangelove to recognise that the two big drivers are the acknowledgement of virtualisation and getting card data out of the hands of anyone who might lose it.

PCI guidance lags some way behind the smart money in other respects. But they are still weapons of choice for the buyer or adviser keen to cut costs in anticipation of PCI developments.

Specific fields of sensitive information, especially credit card numbers, can be replaced with tokens that can be looked up as needed. Meanwhile, the sensitive information is safely locked away.

This allows data processors to work with information at a lower standard of PCI security. This is a particularly attractive option when you are working in a virtualised environment and have been able to segregate different levels of PCI compliance within a virtualised environment.

Official tokenisation guidance from the PCI Council is still pending, so early adopters may find they need to revisit their processes within the year. But the major vendors of this technology are deeply involved in the committee developing standards in this area.

The second measure promising to reduce the scope of PCI audits and cost of compliance is point-to-point (P2P) encryption.

This may be more familiar as ‘end-to-end’ encryption, and the Council’s rechristening of the technology will strike the channel Kremlinologist as significant.

P2P uses strong authentication and encryption through the use of Public Key Infrastructure (PKI) and tamper-proof hardware.

The path information takes between trusted nodes becomes much less important than it is otherwise under PCI rules. This in turn opens the door for cloud-based solutions – currently frowned upon by PCI standards – that, like tokens, offer big cost savings to anyone involved in keeping large networks PCI compliant.

Official PCI Council guidance around P2P encryption, once again, is pending, but the hardware and PKI infrastructure requirements will almost certainly encourage a technology refresh across the retail and data processing sectors. This will open the way for braver souls to sell and the necessary secondary technologies will be sold to them.

The great game
This is not a one-off, or simply about PCI. Reading between the lines pays, and will continue to pay, dividends. But here’s the thing: it’s not about compliance with the latest standard or compatibility with a fashionable technology. It’s about enabling the client to cut the cost of adopting that technology or complying with the next set of regulatory demands.

There are, of course, no guarantees in this game. It is generally accepted amongst sales people that people dislike losing more than they like winning. Get it wrong and it could cost the client a fortune – and plunge your sales people into a nuclear winter.

Jonathan Lampe is vice president of product management at Ipswitch