Secure POS Vendor Alliance releases end-to-end encryption requirements

"The SPVA's end-to-end security requirements guidelines set a baseline for the industry and represent the first step to further strengthen payment security standards globally," said T.K. Cheung, SPVA chairman and Hypercom vice president global quality & security. "We will be enhancing this guideline as the security environment evolves and will announce each update as it occurs."

Prepared by the association's End-to-End Encryption Technical Working Group, the newly released SPVA guideline allows companies to engage different solutions and select products that can be trusted and are secure. Key elements covered by the SPVA-approved standard include:

* Data to be encrypted during transmission
* Key management
* Physical and logistical security of the Tamper-Resistant Security Module and key components
* Encryption monitoring and management systems requirements

The SPVA defines end-to-end as: the transmission of cardholder data in an encrypted form, from its point of presentment, such that it prevents the data from being known in plain text until the point of decryption.

"SPVA does not endorse any specific vendor's solution, nor does it have any intention of supporting one solution over another," said Steven Hughes, SPVA president. "We recognize that end-to-end encryption requirements can be complex. Against this backdrop, our goal is to use existing published standards and provide an auditable set of requirements that creates a secure payment environment."

Since its launch in April 2009, SPVA has experienced rapid growth with prominent industry leaders joining, including Atos Worldline, Heartland Payment Systems, Chase Paymentech, Radiant Systems, Inc., Voltage Security and many others. All members are eligible to participate in SPVA's Technical Working Groups and contribute to future industry standard publications.