By Gary Palgon, VP Healthcare Solutions, Liaison Healthcare Informatics
The PCI Security Standards Council Annual Community Meeting kicked off in Las Vegas on Tuesday with over 1,400 attendees from 25+ countries represented. This is year number 3 in the revolving cycle of proposing standards, providing feedback and issuing standards. PCI 3.0 is expected to be issued after the PCI SSC International Community Meeting to be held in October. In August 2011, the PCI Security Standards Council (PCI SSC) issued a Tokenization Guidance document which I chaired the development of during the prior two years as part of the PCI Scoping Special Interest Group. It was well received, but of course the world thirsted for more than guidance, but rather actual standards.
At this year’s opening session, Bob Russo noted that one of the key initiatives for the coming year is to produce a Tokenization Standard which is expected to be released in 2014. While most of the Guidance would appear to be easily converted into a Standard, there were two key issues that neither the many members of SIG or the PCI SSC could come to agreement on at that time. They included answering the following two questions: “Should tokens be generated in one specific method, namely randomly generated numbers, or could encrypted values, incremental values, hashed values or other methods be allowed.” The other had to do with “Is there such thing as a ‘high-value’ token and if so, what are the risk, security and compliance ramifications that we should be aware of?” With a couple of years of experience of organizations implementing tokenization based on the Tokenization Guidelines, it appears to be a great time to create standards from them and also to answer the remaining questions that were asked or those that have come about since then.