There is no shortage of security standards when it comes to protecting the payment transaction life cycle.
Standards to protect PINs at the point of sale (POS), for example, have been in place for a number of years, but it is equally important to protect other types of cardholder data such as the primary account number (PAN) across the entire transaction process.
There are three main initiatives underway today that apply to the protection of this data and aim to improve overall payment card security at the POS, between the POS and the acquiring bank and beyond.
While the POS security standard landscape may seem complicated, when these various initiatives are broken down and analysed, commonalities can be identified. What's more, the implementation of single security technologies, such as end-to-end encryption or tokenisation, can support compliance across all three initiatives.
Given the complexity of the payment security standards environment, combined with the practical requirement to comply, greater clarification is needed to ensure that POS vendors, retailers/merchants and financial services organisations understand how each of these initiatives relate to one another and ultimately how they can help keep sensitive information safe. So, let's look at these three different items in some more detail.
The Secure POS Vendor Alliance's (SPVA) recent document on "End-to-End Encryption Security Requirements" is designed to help make transactions more secure. The SPVA is a nonprofit organisation that works with the multiple stakeholders of the payment value chain. In its own words, the SPVA aims to develop an end-to-end security framework and to enhance security elements of payment solutions, which protect cardholder information and defend merchants and acquirers against security breaches, while reducing fraud and lowering risk for all electronic payment stakeholders. Its end-to-end security guidelines overlap with other recommendations from at least two other entities. Fortunately for retailers, so too do the systems required to follow them.
The efforts of the SPVA parallel the work of the ASC X9F6 Standards Working Group, which is working on a new standard aimed at protecting sensitive payment data. ASC X9 is an ANSI Accredited Standards Committee (ASC) made up of members from the financial services industry.
Meanwhile, the Payments Card Industry Security Standards Council (PCI-SSC), which is managed by major payment card schemes like American Express, JCB, Discover, MasterCard and Visa, recently issued revised requirements of its own. These new guidelines bring together PIN entry devices (including POS devices) under a common document known as PCI PTS-POI (PCI PIN Transaction Security Point of Interaction). The new document now also includes requirements for interfacing with open networks as well as the protection of cardholder account data. It is related to another set of requirements from PCI-SSC called PCI-DSS, which deals with cardholder data security in the payment transaction process (not only within the POS).
Identifying the commonalities
For those parties trying to make sense of all these new guidelines, the good news is that many of the recommendations relate to the protection of data with the goal of "end-to-end" encryption or tokenisation. Here is a summary of how the initiatives relate and how they are, in fact, entirely complementary.
The SPVA document is the first to cover what should be encrypted end-to-end, general requirements of how it should be encrypted and the tamper-resistant environment of the POS. Though this document is an important step forward, it contains only voluntary guidelines at this stage. The standard covers the following areas:
- Data to be encrypted during transmission
- Key management
- Physical and logical security of the tamper-resistant security module and key components
- Encryption monitoring and management systems requirements