Jul 20 2010
I really wish I had the time to fully explore the idea, but there’s a certain amount of resonance between the criticisms Adrian Lane at Securosis levels against Visa’s guidance on tokenization and criticism of the PCI security standards in general. I believe we’re to the stage as an industry that we mainly agree that the PCI standards are a good starting point but there’s so much more the PCI Council could be requiring merchants and service providers to do for security. Visa’s guidance is much the same way, it’s a good start, but it could have been so much more. And in both cases, I believe the reasons for the compromises can be boiled down to not wanting to require too much of the community and not wanting to limit the flexibility of the standards too much.
I believe that the Visa best practice papers for tokenization and truncation are just like the PCI standards themselves; they’re a good place to start your journey, but these requirements aren’t enough to build your entire security stance from. It’s up to you to continue from here to determine how the particular technologies are going to impact and secure your environment. I think the difference between providing guidance and issuing edicts is something we’ll be talking about next Sunday at Defcon, so this is good timing.
I agree with many of Adrian’s criticisms, including that Visa could have just given more specific guidance overall. But I also understand Visa’s need to keep the guidance vague enough so as not to provide undue direction to what is basically a fledgling market space. Which is exactly where I see the tie in with Josh Corman’s primary argument about the PCI Council; intentionally or not, they are steering the security market space through the PCI standards. Visa could be a force for good in the tokenization and truncation markets if they predict correctly and back solutions that are for the best over the long term. Or they could be seen as stifling innovation if they issue poor guidance. Much like the PCI Council.
Earlier today I heard someone make the statement that the majority of companies who are compromised are using encryption in some form, but they still got compromised. He was reminding me that none of the other silver bullet’s we’ve thought would save us from the bad guys have worked, so use truncation and tokenization, but know they won’t solve all our security issues. As is so often the case, they’ll just move the attack to other targets and use other vectors.