Page 26 - GS220101
P. 26
CoverStory
more about council initiatives in a November 2021 interview but that's not the way it is anymore," he said. "There's so
with Troy Leach, senior vice president, engagement officer much more information being entered online but if that
for market intelligence and stakeholder engagement at the data is authenticated, encrypted and tokenized, it will be
PCI SSC. rendered useless to a hacker."
"We're on track to release PCI DSS 4.0 in March 2022," Virtualization
Leach said. "This is a big leap forward and full revision Ryan Smith, vice president, global business development
of 'dot 0' most prominently with customized validation. at Futurex, expects hardware virtualization to continue
This avant garde approach to security provides a path to to scale throughout the payments ecosystem. Futurex
compliance to companies with long-standing, mature risk has been helping retailers, processors and VARs tokenize
models for managing payment data security, that would customer data to derive generic shopping trends without
not otherwise meet testing requirements." compromising individual consumer privacy, he stated.
"There have been good strides to protect data in transit,
Customized validation enables qualifying companies to and point-to-point encryption has been a key driver,"
create their own requirements, using their frameworks Smith said. "It's pushed the bad guys to look for golden
and testing procedures, Leach noted. This alternative nuggets of data elsewhere and challenged retailers to
to traditional compliance protocols gives flexibility to get to know customers while protecting their personal
large, multinational organizations with deep security information as well."
knowledge that can demonstrate requirements that are
testable, repeatable and equivalent in strength to existing Futurex created a virtualization technology by placing
DSS validation requirements, so we're excited about that, a hypervisor within a hardware secure module (HSM),
he added. which runs behind a PCI-compliant physical security
boundary, Smith stated. And PCI P2PE version 3.0,
"We're providing a three-year implementation window but released in December 2019, enabled Futurex engineers to
encourage people to review the standard early, even if they selectively enable and disable features in the HSM without
don't test and implement the requirements right away," placing those burdens on customers or end-users, which
Leach said. "This will help them prepare for 2025, when simplified compliance testing even more, he added.
they will have to show they meet that level of security."
P2PE, tokenization As Smith noted, virtualization pushes machines in the
background but does not replace them. "We can spin in
Ruston Miles, founder at Bluefin, expects to see multiple agents within that secure boundary, but at the
more PCI-validated point-to-point encryption (P2PE) end of the day, you're still deploying a physical agent
implementations in 2022. P2PE, which he called the gold with physical requirements such as tamper resistance,
standard in payment security, protects data in transit and heat sensitivity, etc.," Smith said. "You still have to buy a
at rest, from initial point of entry to final destination, physical appliance to be able to run it and then you have
where it is securely decrypted by a receiving host. Of the service side, where we've taken our HSM and created
all existing P2PE solutions, Miles affirmed only those a service out of it."
validated by the PCI SSC meet rigorous standards for
encryption, decryption, key management and chain of Authentication
custody for P2PE transactions initiated by tap, dip, swipe Andrew Shikiar, executive director and chief marketing
or key entry. officer at the FIDO Alliance, predicted on-device biometrics
will eventually replace server-side credentials and shared
"Bluefin became a PCI-validated P2PE solution provider secrets, better known as passwords. "Servers that hide
in 2014 and hundreds of our P2PE devices and integration secrets can be manipulated and attacked," he said. "With
partners use P2PE Manager, our online portal for biometrics, you're authenticating to or near your device,
managing chain of custody," Miles said, adding that 2021 securely communicating with the server by proving
was a breakthrough year for the company, in terms of possession of that device in an irrefutable manner."
innovation and payments industry recognition.
When Google tested biometrics in 2017, not one Google
Bluefin's ShieldConex won accolades in 2021, Miles employee was successfully phished, and help-desk costs
stated, including FinTech Breakthrough, CyberSecurity went down while productivity went up, Shikiar stated.
Breakthrough and MPC Digital Commerce Visionary These measurable proof points helped biometrics gain
awards. Judging panels recognized the company for ubiquity and global scale, he added. Market leader support
bringing hardware-grade security to ecommerce and from Microsoft, Google, PayPal and stakeholders in FIDO
using a subscription-based model to help reduce costs and working groups helped standardize web authentication
scope of work in maintaining regulatory compliance. technology and Apple joined FIDO's board of directors
in January 2020, he said. Implementing support and
Miles predicted 2022 will bring stricter privacy mandates technology at scale has changed the conversation between
for protecting all types of sensitive data, not just payments. service providers and hardware vendors, Shikiar noted,
"People tend to associate tokenization with payments,
26
