Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

POS Security Standards Go Beyond PIN Protection

Thales : 13 August, 2010  (Special Report)
As point-of-sale card transactions continue to grow as the preferred retail payment choice, Steve Brunswick and Jose Diaz of Thales detail the standards that need to be adhered to and what they mean
Security is arguably one of the biggest challenges when it comes to payments and as a result there are numerous security standards governing the entire payment transaction lifecycle. As cards become the preferred method of payment across the developed world, the Point of Sale (POS) environment has been subject to an increasing array of security mandates with a particular focus on protecting PINs at the POS and beyond. However, PINs form only a small element of the information carried on payment cards and so there is a growing need to ensure the protection of other types of cardholder data, such as the Primary Account Number (PAN), across the entire transaction process.

Today, there are three main initiatives under way that apply to the protection of this data and aim to improve overall payment card security at the POS, between the POS and the acquirer and beyond. Many POS vendors, retailers/merchants and financial services organizations are struggling to understand these different initiatives and how they need to apply them to their business. In this article, Thales looks at the complicated POS security standard landscape and provides clarity on what the industry needs to do to ensure compliance.

Outlining the main standards

The first of the three main POS security initiatives is the Secure POS Vendor Alliance's (SPVA) guidelines on end-to-end security. These aim to promote good information security practices at merchants to reduce their information security risks related to account data. The SPVA's guidelines overlap with other recommendations from at least two other entities. The ASC X9F6 Standards Working Group, which is made up of members from the financial services industry, is working on a new standard aimed at protecting sensitive payment data. Meanwhile, the Payments Card Industry Security Standards Council (PCI-SSC), which is managed by major payment card schemes like American Express, JCB, Discover, MasterCard and Visa, recently issued revised requirements of its own.

The PCI-SSC's new guidelines bring together PIN Entry Devices (including POS devices) under a common document, known as PCI PTS-POI (PCI PIN Transaction Security Point of Interaction). The new document now also includes requirements for interfacing with open networks as well as the protection of cardholder account data. It is related to another set of requirements from PCI-SSC called PCI-DSS, which deals with cardholder data security in the payment transaction process (not only within the POS).

Making sense of the standards

For those parties trying to make sense of all these new guidelines, the good news is that many of the recommendations relate to the protection of data with the goal of "end-to-end" encryption or tokenization. Here is a summary of how the initiatives relate - and how they are, in fact, entirely complementary:

The SPVA document is the first to cover what should be encrypted "end-to-end," general requirements of how it should be encrypted, and the tamper-resistant environment of the POS. Though this document is an important step forward, it contains only voluntary guidelines at this stage. The standard covers the following areas:

• Data to be encrypted during transmission
• Key management
• Physical and logical security of the Tamper-Resistant Security Module and key components
• Encryption monitoring and management systems requirements

The new PCI PIN Transaction Security (PTS) Point of Interaction (POI) PCI PTS-POI Standard brings together requirements that were previously covered in three separate documents for Point of Sale PIN Entry Devices (PED), Encrypting PIN Pads (EPP), and Unattended Payment Terminals (UPT). This standard simplifies the testing process and eliminates overlap of documentation by providing one modular security evaluation program for all terminals and a single reference listing of approved products.

PCI PTS-POI contains a new Secure Reading and Exchange of Data (SRED) requirements module that gives POI vendors a clear set of security criteria for the protection of account data that they must build and test against. Vendors can now build devices to a defined standard for protecting data as it is read and then encrypted for exchange. Like the SPVA document, it covers the physical and logical environment, encryption that can be used, and so on. This is a critical first step in the establishment of a secure "end-to-end" encryption infrastructure, although the standard does not provide specific details of the methods or encryption technology that POI vendors must use for protecting data.

The ASC X9 working group is part of the standards organization responsible for the development of all financial services standards in the U.S. ASC X9 intends to deliver a standard (X9.119) with specific security requirements for the protection of sensitive payment data using encryption and tokenization methods. This is a vital piece in defining what and how sensitive information should be protected from a standards body with representation from a broad spectrum of the financial services industry. Rather than specifying one way of protecting data, the standard will cover a number of different approaches. This is a pragmatic solution, as there are several valid ways to protect data, and vendors are already working together to provide solutions using a number of approaches.

We can perhaps expect the SPVA document (which already refers to the predecessor to the PCI PTS-POI specification) and PCI PTS-POI to be updated in time to refer to the X9.119 standard, since they both already reference other X9 standards related to key management and encryption technology, thereby completing the circle.

While these different, but overlapping standards may seem like a headache for those involved in adopting them, they are all aimed at achieving a worthy goal: enhancing the security of payment card information. Once the various standards are broken down and properly understood, the commonalities between them can be identified and proper controls can be implemented to satisfy the best practices or specifications recommended by each document without duplicating efforts. Given the ever-present threat of card fraud, putting the work in now will pay dividends in the future.
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo