Steve Brunswick, Transaction Security Strategy Manager, and Jose Diaz from Thales seek to clarify the growing number of Point of Sale security standards.
As cards become the preferred method of payment across the developed world, protecting PINs and cardholder data at the Point of Sale (POS) has become key to preventing fraud. It is little wonder therefore that the POS environment has become subject to a growing number of security initiatives. The majority of existing security mandates relate to the protection of PINs, however since stolen card holder data can be used in non-EMV compliant countries and for online transactions, there is a growing need to protect other types of cardholder data, such as the Primary Account Number (PAN), across the entire transaction process.
Three main initiatives aim to protect cardholder data and improve overall payment card security at the POS, between the POS and the acquirer and beyond. However, it is a complicated landscape and many of the documents behind the initiatives overlap. As a result, there is some confusion among POS vendors, retailers/merchants and financial services organisations about the different documents and how they should be applied to their business and this is what this article seeks to clarify.
The Big Three:
The first of the three main initiatives is the Secure POS Vendor Alliance’s (SPVA) guidelines on end-to-end security that aim to promote good information security practices at merchants to reduce their information security risks related to account data. The SPVA’s guidelines however overlap with the recommendations from the other two standards, including the Payments Card Industry Security Standards Council (PCI-SSC), which is managed by major payment card schemes like American Express, JCB, Discover, MasterCard and Visa, and recently issued revised requirements of its own.
The PCI-SSC’s new guidelines bring together PIN Entry Devices (including POS devices) under a common document, known as PCI PTS-POI (PCI PIN Transaction Security Point of Interaction). The new document now also includes requirements for interfacing with open networks as well as the protection of cardholder account data. It is related to another set of requirements from PCI-SSC called PCI-DSS, which deals with cardholder data security in the payment transaction process (not only within the POS).
Finally, the ASC X9F6 Standards Working Group, which is made up of members from the financial services industry, is working on a new standard aimed at protecting sensitive payment data.
What this means in practice:
For those parties trying to make sense of all these new guidelines, the good news is that many of the recommendations relate to the protection of data with the goal of “end-to-end” encryption or tokenization. Here is a summary of how the initiatives relate and are, in fact, entirely complementary:
The SPVA document is the first to cover what should be encrypted “end-to-end,” general requirements of how it should be encrypted, and the tamper-resistant environment of the POS. Though this document is an important step forward, it currently contains only voluntary guidelines and covers the following areas:
• Data to be encrypted during transmission
• Key management
• Physical and logical security of the Tamper-Resistant Security Module and key components
• Encryption monitoring and management systems requirements
The new PCI PIN Transaction Security (PTS) Point of Interaction (POI) PCI PTS-POI Standard brings together requirements that were previously covered in three separate documents for Point of Sale PIN Entry Devices (PED), Encrypting PIN Pads (EPP), and Unattended Payment Terminals (UPT). This standard simplifies the testing process and eliminates overlap of documentation by providing one modular security evaluation program for all terminals and a single reference listing of approved products.
PCI PTS-POI contains a new Secure Reading and Exchange of Data (SRED) requirements module that gives POI vendors a clear set of security criteria for the protection of account data that they must build and test against. Vendors can now build devices to a defined standard for protecting data as it is read and then encrypted for exchange. Like the SPVA document, it covers the physical and logical environment, encryption that can be used, and so on. This is a critical first step in the establishment of a secure “end-to-end” encryption infrastructure, although the standard does not provide specific details of the methods or encryption technology that POI vendors must use for protecting data.
The ASC X9F6 working group is part of the standards organization responsible for the development of all financial services standards in the U.S. ASC X9 intends to deliver a standard (X9.119) with specific security requirements for the protection of sensitive payment data using encryption and tokenization methods. This is a vital piece in defining what and how sensitive information should be protected from a standards body with representation from a broad spectrum of the financial services industry. Rather than specifying one way of protecting data, the standard will cover a number of different approaches. This is a pragmatic solution, since there are numerous ways to protect data, all of which are valid, and vendors are already working together to provide solutions using a number of approaches.
The SPVA document (which already refers to the predecessor to the PCI PTS-POI specification) and PCI PTS-POI may in time be updated to refer to the X9.119 standard in time, since they both already reference other X9 standards related to key management and encryption technology, thereby completing the circle.
Additional best practice guidance:
In addition to the above standards, Visa also issued best practice guidance on data field encryption in October last year. The guidelines were created as Visa recognizes that data field encryption is a useful approach that can simplify PCI Data Security Standard (DSS) compliance. Though it covers more than just the POS, it is very much part of the mix of initiatives, as Visa is chair of the ANSI X9F6 Standards Working Group that is working on the new standard to protect sensitive cardholder data. The best practices are based on the following security objectives:
•Cardholder and authentication data should only be available at the points of encryption and decryption
•Encryption key management solutions should follow international and/or regional standards
•Key lengths and cryptographic algorithms should follow international and/or regional standards
•Devices used to perform cryptographic operations should be independently assessed to ensure they are protected against compromise
•If cardholder data is needed after authorization (for example when processing recurring payments, customer loyalty programmes or in fraud management), a transaction ID or token should be used instead of the data itself
More recently, in July 2010, Visa also released its “Best Practices for Tokenization” giving high level guidance for this alternative for protecting cardholder data.
It is interesting to note that not all the data security documents published so far specify a Tamper Resistant Security Module (TRSM) for the protection of keys and sensitive cardholder data at all points where sensitive data is encrypted/decrypted. However, recent research commissioned by Thales showed that Qualified Security Assessors (QSAs), who audit the compliance of retailers and acquirers to meet PCI-DSS regulations, do recognize the value of hardware security in meeting regulations: 81 per cent of QSAs surveyed recommend or require Hardware Security Modules (HSMs) to manage data protection.
These initiatives may seem like a headache, however they are complementary in many ways and there is overlap across the three. Before jumping into the task of compliance, it is worth spending time breaking down the documents and working out the commonalities between them all. This will help ensure that duplication of effort is avoided and that proper controls can be implemented to satisfy the best practices or specifications recommended by each document. As the industry looks to combat card fraud, a thorough understanding of initiatives such as these, combined with the implementation of the security measures they cover will help ensure the challenge of data protection remains a surmountable one.
