Community
As the old joke goes, “the great thing about standards is that there are so many to choose from.” This certainly seems to be the case with point-of-sale (POS) devices, where there are now a number of overlapping initiatives aimed at improving payment card security. While this may seem to be unnecessarily redundant, it is important that POS vendors, retailers/merchants and financial services organisations understand how each of these initiatives relate to one another and how they can help keep sensitive information safe.
Recently, the Secure POS Vendor Alliance (SPVA) issued an End-to-End Encryption Security Requirements document designed to help make transactions more secure. The guidelines overlap with other recommendations from at least two other entities. Fortunately for retailers, so too do the systems required to follow them.
The efforts of the SPVA parallel the work of the ASC X9 group, which is working on a new standard aimed at protecting sensitive payment data. ASC X9 is an ANSI Accredited Standards Committee (ASC) made up of members from the financial services industry.
Meanwhile, the PCI Security Standards Council (PCI-SSC), which is managed by major payment card schemes like American Express, JCB, MasterCard and Visa, recently issued revised requirements of its own. These new guidelines bring together PIN Entry Devices (including POS devices) under a common Point-of-Interaction (POI) document, known as the PCI PTS-POI. The new document now also includes requirements for interfacing with open networks as well as the protection of cardholder account data. It is related to another set of requirements from PCI-SSC called PCI-DSS, which deals with cardholder data security in the payment transaction process (not only within the POS).
For retailers and other entities trying to make sense of all these new guidelines, the good news is that many of the recommendations relate to protection of data with the goal of “end-to-end” encryption. Here is a summary of how the initiatives relate—and how they are, in fact, entirely complimentary:
We can perhaps expect the SPVA document (which already refers to the PCI PTS-POI predecessor specification) and PCI PTS-POI to be updated in time to refer to the X9.119 standard, since they both already reference other X9 standards related to key management and encryption technology, thereby completing the circle.
It is interesting to note that not all the data security documents published so far specify a Tamper Resistant Security Module (TRSM) for the protection of keys and sensitive cardholder data. However, a recent study showed that Qualified Security Assessors (QSAs), who audit the compliance of retailers and acquirers to meet PCI-DSS regulations, do recognise the value of hardware security in meeting regulations—81 percent of QSAs surveyed recommend or require Hardware Security Modules (HSMs) to manage data protection.
If the actions by all these various groups seem to be overkill, it is important to remember that the ultimate goal is to secure payment card information, which is in the best interest of consumers, merchants and all other entities involved in the payments card industry. With a bit of understanding about how each set of guidelines overlaps, proper controls can be implemented to satisfy the best-practices recommended by each document. Given the ever-present threat of card fraud, such efforts are vital.
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Victor Irechukwu Head, Engineering at OnePipe Services Limited
29 November
Nkahiseng Ralepeli VP of Product: Digital Assets at Absa Bank, CIB.
Valeriya Kushchuk Digital Marketing Manager at Narvi Payments
28 November
Alex Kreger Founder & CEO at UXDA
27 November
Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.
Please read our Privacy Policy.