Best methods for navigating the POS security standard minefield.
There is no shortage of security standards when it comes to protecting the payment transaction life cycle.
Standards to protect PINs at the point of sale (POS), for example, have been in place for a number of years, but it is equally important to protect other types of cardholder data such as the primary account number (PAN) across the entire transaction process.
There are three main initiatives underway today that apply to the protection of this data and aim to improve overall payment card security at the POS, between the POS and the acquiring bank and beyond.
While the POS security standard landscape may seem complicated, when these various initiatives are broken down and analysed, commonalities can be identified. What's more, the implementation of single security technologies, such as end-to-end encryption or tokenisation, can support compliance across all three initiatives.
Given the complexity of the payment security standards environment, combined with the practical requirement to comply, greater clarification is needed to ensure that POS vendors, retailers/merchants and financial services organisations understand how each of these initiatives relate to one another and ultimately how they can help keep sensitive information safe. So, let's look at these three different items in some more detail.
The Secure POS Vendor Alliance's (SPVA) recent document on "End-to-End Encryption Security Requirements" is designed to help make transactions more secure. The SPVA is a nonprofit organisation that works with the multiple stakeholders of the payment value chain. In its own words, the SPVA aims to develop an end-to-end security framework and to enhance security elements of payment solutions, which protect cardholder information and defend merchants and acquirers against security breaches, while reducing fraud and lowering risk for all electronic payment stakeholders. Its end-to-end security guidelines overlap with other recommendations from at least two other entities. Fortunately for retailers, so too do the systems required to follow them.
The efforts of the SPVA parallel the work of the ASC X9F6 Standards Working Group, which is working on a new standard aimed at protecting sensitive payment data. ASC X9 is an ANSI Accredited Standards Committee (ASC) made up of members from the financial services industry.
Meanwhile, the Payments Card Industry Security Standards Council (PCI-SSC), which is managed by major payment card schemes like American Express, JCB, Discover, MasterCard and Visa, recently issued revised requirements of its own. These new guidelines bring together PIN entry devices (including POS devices) under a common document known as PCI PTS-POI (PCI PIN Transaction Security Point of Interaction). The new document now also includes requirements for interfacing with open networks as well as the protection of cardholder account data. It is related to another set of requirements from PCI-SSC called PCI-DSS, which deals with cardholder data security in the payment transaction process (not only within the POS).
Identifying the commonalities
For those parties trying to make sense of all these new guidelines, the good news is that many of the recommendations relate to the protection of data with the goal of "end-to-end" encryption or tokenisation. Here is a summary of how the initiatives relate and how they are, in fact, entirely complementary.
The SPVA document is the first to cover what should be encrypted end-to-end, general requirements of how it should be encrypted and the tamper-resistant environment of the POS. Though this document is an important step forward, it contains only voluntary guidelines at this stage. The standard covers the following areas:
- Data to be encrypted during transmission
- Key management
- Physical and logical security of the tamper-resistant security module and key components
- Encryption monitoring and management systems requirements
The new PCI PIN transaction security (PTS) point of interaction (POI) PCI PTS-POI Standard brings together requirements that were previously covered in three separate documents for POS PIN entry devices, encrypting PIN pads and unattended payment terminals. This standard simplifies the testing process and eliminates overlap of documentation by providing one modular security evaluation programme for all terminals and a single reference listing of approved products.
PCI PTS-POI contains a new secure reading and exchange of data (SRED) requirements module that gives POI vendors a clear set of security criteria for the protection of account data that they must build and test against. Vendors can now build devices to a defined standard for protecting data as it is read and then encrypted for exchange. Like the SPVA document, it covers the physical and logical environment, encryption that can be used and so on. This is a critical first step in the establishment of a secure "end-to-end" encryption infrastructure although the standard does not provide specific details of the methods or encryption technology that POI vendors must use for protecting data.
The ASC X9 working group is part of the standards organisation responsible for the development of all financial services standards in the United States. It is comprised of numerous vendors and plays a key role in the development and adoption of new technologies in the banking, brokerage and insurance industries. ASC X9 intends to deliver a standard (X9.119) with specific security requirements for the protection of sensitive payment data using encryption and tokenisation methods. This is a vital piece in defining what and how sensitive information should be protected from a standards body with representation from a broad spectrum of the financial services industry. Rather than specifying one way of protecting data, the standard will cover a number of different approaches. This is a pragmatic solution, as there are several valid ways to protect data and vendors are already working together to provide solutions using a number of approaches.
We can perhaps expect the SPVA document (which already refers to the predecessor to the PCI PTS-POI specification) and PCI PTS-POI to be updated in time to refer to the X9.119 standard, since they both already reference other X9 standards related to key management and encryption technology, thereby completing the circle.
In addition to the above standards, Visa also issued best practice guidance on data field encryption in October last year. The guidelines were created as Visa recognises that data field encryption is a useful approach that can simplify PCI DSS compliance. Though it covers more than just the POS, it is very much part of the mix of initiatives, as Visa is chair of the ANSI X9F6 Standards Working Group that is working on the new standard to protect sensitive cardholder data.
The best practices are based on the following security objectives:
- Cardholder and authentication data should only be available at the points of encryption and decryption
- Encryption key management solutions should follow international and/or regional standards
- Key lengths and cryptographic algorithms should follow international and/or regional standards
- Devices used to perform cryptographic operations should be independently assessed to ensure they are protected against compromise
- If cardholder data is needed after authorisation (for example when processing recurring payments, customer loyalty programs or in fraud management), a transaction ID or token should be used instead of the data itself
More recently, in July 2010, Visa also released its "Best Practices for Tokenisation" giving high level guidance for this alternative for protecting cardholder data. It is interesting to note that not all the data security documents published so far specify a Tamper Resistant Security Module (TRSM) for the protection of keys and sensitive cardholder data at all points where sensitive data is encrypted/decrypted.
However, recent research commissioned by Thales showed that qualified security assessors (QSAs), who audit the compliance of retailers and acquirers to meet PCI-DSS regulations, do recognise the value of hardware security in meeting regulations: 81% of QSAs surveyed recommend or require hardware security modules to manage data protection.
If the actions by all these various groups seem to be overkill, it is important to remember that the ultimate goal is to secure payment card information, which is in the best interest of consumers, merchants and all other entities involved in the payments card industry. With a bit of understanding about how each set of guidelines and standards overlaps, proper controls can be implemented to satisfy the best practices recommended by each document and prevent those involved in implementing these standards from doubling up on their efforts. Given the ever present threat of card fraud, such efforts are vital.