Currently, the PCI standard only requires encryption for data at rest, but not while the data is in transit along the transaction chain. The council recommends that retailers and others in the payment industry adopt a more comprehensive point-to-point encryption approach, although it is not a requirement.
According to Russo, point-to-point encryption is one of the issues the council will look at in the coming months. The council is also looking at approaches like tokenization for protecting cardholder data, he said. With tokenization, card data is substituted with a random string of numbers so even if the data is compromised, it holds no value for data thieves.
Broad adoption of the Europay MasterCard Visa (EMV) smartcard standard could also enhance debit and credit card security, Russo said.
The recent breaches have fueled fresh calls for adoption of the standard in the U.S., which remains the only major country in the world not to have moved to it already. Visa and MasterCard have both said they will move over to EMV by the end of next year.
But as with every other aspect of payment card security, the EMV standard is just one piece, Russo said. Though EMV is widely touted as being better than magnetic card technology, it would not have prevented the Target data compromise, he said. It would have only limited, but not stopped, how the stolen cards could be used, he said.
One area where the council has received feedback from stakeholders is on the consistency of the PCI compliance assessment process, Russo said. In response, the council enhanced testing to ensure that assessments are done in a more consistent and standardized manner.
"Additionally, throughout the standards, we've built in more education around the intent of the requirements so that those implementing the standards in their organization have more information regarding the goal of the controls and how they need to be implemented," he said.