As one might expect, there is no shortage of security standards when it comes to protecting the payment transaction lifecycle. As the old joke goes, “the great thing about standards is that there are so many to choose from”.
These wise words are particularly applicable to the point-of-sale (POS) environment. Standards to protect PINs at the POS and beyond have been in place for a number of years, but it is equally important to protect other types of cardholder data, such as the primary account number (PAN), across the entire transaction process.
There are three main initiatives under way today that apply to the protection of this data and aim to improve overall payment card security at the POS, between the POS and the acquiring bank, and beyond. Although the POS security standard landscape may seem complicated, when these various initiatives are broken down and analyzed, commonalities can be identified. What’s more, the implementation of single security technologies, such as end-to-end encryption or tokenization, can support compliance across all three initiatives.
Investigating the Minefield
Given the complexity of the payment security standards environment, combined with the practical requirement to comply, greater clarification is needed to ensure that POS vendors, retailers/merchants and financial services organizations understand how each of these initiatives relate to one another and, ultimately, how they can help keep sensitive information safe. So, let’s look at these three different items in some more detail.
The Secure POS Vendor Alliance’s (SPVA) recent document on “End-to-End Encryption Security Requirements” is designed to help make transactions more secure. The efforts of the SPVA parallel the work of the ASC X9F6 Standards Working Group, which is working on a new standard aimed at protecting sensitive payment data.
Meanwhile, the Payment Card Industry Security Standards Council (PCI SSC), which is managed by the major payment card brands, recently issued revised requirements of its own. These new guidelines bring together PIN entry devices (including POS devices) under a common document, known as PCI PTS-POI (PCI PIN Transaction Security Point of Interaction). The new document now also includes requirements for interfacing with open networks, as well as the protection of cardholder account data. It is related to the PCI Data Security Standard (PCI DSS), which deals with cardholder data security in the payment transaction process (not only within the POS).
Identifying the Commonalities
Protecting data through end-to-end encryption or tokenization
For those parties trying to make sense of all these new guidelines, the good news is that many of the recommendations relate to the protection of data with the goal of ‘end-to-end’ encryption or tokenization. Following is a summary of how the initiatives relate – and how they are, in fact, entirely complementary.
The SPVA document is the first to cover what should be encrypted end-to-end, general requirements of how it should be encrypted, and the tamper-resistant environment of the POS. Although this document is an important step forward, it contains only voluntary guidelines.
The new PCI PTS-POI standard brings together requirements that were previously covered in three separate documents for POS PIN entry devices (PED), encrypting PIN pads (EPP), and unattended payment terminals (UPT). This standard simplifies the testing process and eliminates documentation overlap by providing one modular security evaluation program for all terminals and a single reference listing of approved products.
PCI PTS-POI contains a new secure reading and exchange of data (SRED) requirements module that gives POI vendors a clear set of security criteria for the protection of account data that they must build and test against. Vendors can now build devices to a defined standard for protecting data as it is read and then encrypted for exchange. Like the SPVA document, it covers the physical and logical environment, encryption that can be used, and so on. This is a critical first step in the establishment of a secure end-to-end encryption infrastructure, although the standard does not provide specific details of the methods or encryption technology that POI vendors must use for protecting data.
The ASC X9 working group in the US intends to deliver a standard (X9.119) with specific security requirements for the protection of sensitive payment data using encryption and tokenization methods. This is a vital piece in defining what and how sensitive information should be protected from a standards body with representation from a broad spectrum of the financial services industry. Rather than specifying one way of protecting data, the standard will cover a number of different approaches. This is a pragmatic solution, as there are several valid ways to protect data, and vendors are already working together to provide solutions using a number of approaches.
We can perhaps expect the SPVA document (which already refers to the PCI PTS-POI specification’s predecessor) and PCI PTS-POI to be updated in time to refer to the X9.119 standard, since they both already reference other X9 standards related to key management and encryption technology, thereby completing the circle.
In addition to the aforementioned standards, Visa also issued best practice guidance on data field encryption in October of last year. The guidelines were created because Visa recognized that data field encryption is a useful approach that can simplify PCI DSS compliance. Although it covers more than just the POS, it is very much a part of the mix of initiatives, as Visa is chair of the ANSI X9F6 Standards Working Group that is formulating the new standard to protect sensitive cardholder data. More recently, in July 2010, Visa also released its “Best Practices for Tokenization”, providing high-level guidance for this cardholder data protection alternative.
It is interesting to note that not all the data security documents published so far specify a tamper-resistant security module (TRSM) for the protection of keys and sensitive cardholder data at all points where sensitive data is encrypted/decrypted. However, recent research commissioned by Thales showed that qualified security assessors (QSAs), who audit the compliance of retailers and acquirers to meet PCI DSS regulations, do recognize the value of hardware security in meeting regulations: 81% of QSAs surveyed recommend or require hardware security modules (HSMs) to manage data protection.
If the actions by all these various groups appear to be overkill, it is important to remember that the ultimate goal is to secure payment card information, which is in the best interest of consumers, merchants and all others involved in the payment card industry. With a bit of understanding about how each set of guidelines and standards overlap, proper controls can be implemented to satisfy the best practices recommended by each document and prevent redundant implementation efforts. Given the ever-present threat of card fraud, such endeavors are vital.
Jose Diaz has worked for Thales (previously Racal) in the US for over 29 years and is currently director of technical and strategic business development for the Information Technology Security activities of Thales in the Americas region. During his first 10 years with the group, Diaz worked in the Design Engineering groups for network management and data communication products and has four patents for his work in the area of digital communications. He later managed the design of communication systems and was responsible for the systems engineering group in the Americas. Diaz then migrated into sales, and for 6 years was responsible for the Latin America and Caribbean region before moving into his current position where he is responsible for technical and strategic product direction in the Americas region. Diaz graduated with a master’s in electrical engineering from the University of Miami.
Steve Brunswick manages the global strategy and marketing for the Information Technology Security activities of Thales and has more than 12 years’ banking industry experience. Before joining Thales, he worked as a strategy consultant and director of marketing for De La Rue’s Cash Processing business. Brunswick has 20 years of management experience working in marketing, sales, strategy, and product management and is a member of the Chartered Institute of Marketing. Brunswick also holds a degree in computer engineering and an MBA.