The Secure POS Vendor Alliance (SPVA), a non-profit business organization founded by Hypercom (NYSE: HYC), Ingenico S.A. (EURONEXT: ING) and VeriFone (NYSE: PAY), announces the release of standards for the post manufacturing stage of a secure payment device. The new guidelines require that a payment device be properly handled from the moment it is produced to the moment it is loaded with customer keys.
"The recommended guidelines by our Lifestyle of a Secure Payment Device Technical Working Group are designed to meet the security objectives of confidentiality, integrity, accountability, authenticity and non-repudiation"
The newly introduced requirements are designed to increase accountability for numerous stakeholders including payment device vendors, manufacturers, key injection providers responsible for the initial loading of the payment device, acquirers and security audit firms.
"The current standards in the post manufacturing stage cannot provide complete authenticity and we feel that we have identified a list of solutions to improve security," said Roberto Fananas, Hypercom security manager. "The SPVA's guidelines for the post manufacturing stage ensure that key data and materials used in the key loading process meet specific security requirements, thus eliminating the risk of fraudulent behavior."
Prepared by the association's Lifecycle of a Secure Payment Device Technical Working Group, the guidelines feature key elements including:
• Secure storage and transport: The payment device must be stored and transported in a manner that meets requirements for security and accountability.
• Transfer and accountability: Documented processes must be in place to ensure the accountability for the device is properly transferred from the manufacturer to the entity performing the initial key load.
• Authentication: The payment device must have a secure mechanism authenticating the identity of the device.
• Key management: Documented processes must be in place to identify and respond to any security incidents.
• Incident response: Documented processes must be in place to identify and respond to any security incidents.
• Outsourcing: When any process of the post-manufacturing stage is outsourced, the outsourcing organization must ensure that the vendor meets the security requirements of that process.
• Auditing: Audits must be performed at planned intervals to ensure that the security requirements are met.
"The recommended guidelines by our Lifestyle of a Secure Payment Device Technical Working Group are designed to meet the security objectives of confidentiality, integrity, accountability, authenticity and non-repudiation," said Steven Hughes, SPVA president. "The ultimate goal is to protect cardholder information and defend merchants and acquirers against security breaches."
The release of requirements for the post manufacturing stage of a payment device will conclude the work of the SPVA's Lifestyle of a Secure Payment Device Technical Working Group.
Since its launch in April 2009, SPVA has experienced rapid growth with prominent industry leaders joining, including Atos Worldline, Heartland Payment Systems, Chase Paymentech, Radiant Systems, Inc., Voltage Security and many others. All members are eligible to participate in SPVA's Technical Working Groups and contribute to future industry standard publications.