All of you representatives of participating organizations (PO), the PCI SSC has opened elections for the coming year’s SIGs. Just a friendly reminder for all POs to exercise their right to vote on the SIGs. I am guessing that the voting page is behind the PO logon to the PCI SSC Web site. They announce the results of the balloting on November 4, so vote as soon as possible.
24
Oct
11
If all the SIG’s run like the tokenization SIG was, I’m not sure the point. They either ignore the feedback and do what they want anyway or only pay attention to the big payers (I’m not sure?).
Steve, the logic behind the running of the SIGs has changed a bit since they were unceremonially shut down earlier this year. This time around, the SSC will provide a staff member to work on the SIG, and the maximum lifespan for a SIG will be one year. (I don’t know how they plan to enforce that. I can see conversations like “well, we were delayed for Good Reason X during the year, so let’s just continue for another 3 months to really finish the work”.
However, on the topic of “big payers”, every PO gets the opportunity to participate. (Granted, truly small businesses are not likely to be POs, because the fee is a few thousand USD per year, and they don’t have that money to spare.) During the presentations, every SIG this time around went out of their way to say “this will be vendor neutral”.
Finally, Storefrontbacktalk has a good summary of the proposals here: http://storefrontbacktalk.com/securityfraud/vote-now-why-retailers-really-should-help-select-pci-sigs/
Emma.
The original definition of tokenization was (and still is) “vendor neutral.” Then vendors started mislabeling their proprietary products as tokenization and the PCI SIG accommodated their mislabeling for the sake of vendor neutrality. If enough vendors label simple XOR cipher as strong cryptography, for the sake of vendor neutrality should strong cryptography be redefined to include simple XOR? This is what happened to tokenization.
But as a marketer, how do I gain an “edge” if everyone is peddling the same solution? That’s what drove everyone to develop their own version of tokenization schemes and then got the PCI SSC and other standards bodies to buy in. As an added benefit, because these schemes are all different, there is no interoperability and therefore, there is a high cost to anyone using the solution to change. You just cannot ask for more. LOL
Your XOR example is great until the vendor has to explain it’s just an XOR and that is where the wheels come off. There is no way an XOR cipher can ever be considered “strong” based on the definition provided in the PCI DSS Glossary.
The key part of the definition was that the token could not be mathematically related to the PAN, if it is related, who’s to say it’s not a simple XOR cipher or hash. You are correct about XOR, the wheels fall off if you have your security hat on. Remove that hat, put on your vendor neutrality hat and XOR continues rolling down the street. Since PCI redefined tokens to allow for mathematically related values for the sake of vendor neutrality, they removed their security hat in the process and opened up a whole can of worms. Oh well, that’s enough on this thread. Until next thread…