Thales Blog

How Many POS Security Documents Does One Need?

August 11, 2010

As the old joke goes, “the great thing about standards is that there are so many to choose from.” This certainly seems to be the case with point-of-sale (POS) devices, where there are now a number of overlapping initiatives aimed at improving payment card security. While this may seem to be unnecessarily redundant, it is important that POS vendors, retailers/merchants and financial services organizations understand how each of these initiatives relate to one another and how they can help keep sensitive information safe.

Recently, the Secure POS Vendor Alliance (SPVA) issued an End-to-End Encryption Security Requirements document designed to help make transactions more secure. The guidelines overlap with other recommendations from at least two other entities. Fortunately for retailers, so too do the systems required to follow them.

The efforts of the SPVA parallel the work of the ASC X9 group, which is working on a new standard aimed at protecting sensitive payment data. ASC X9 is an ANSI Accredited Standards Committee (ASC) made up of members from the financial services industry.

Meanwhile, the PCI Security Standards Council (PCI-SSC), which is managed by major payment card schemes like American Express, JCB, MasterCard and Visa, recently issued revised requirements of its own. These new guidelines bring together PIN Entry Devices (including POS devices) under a common Point-of-Interaction (POI) document, known as the PCI PTS-POI. The new document now also includes requirements for interfacing with open networks as well as the protection of cardholder account data. It is related to another set of requirements from PCI-SSC called PCI-DSS, which deals with cardholder data security in the payment transaction process (not only within the POS).

For retailers and other entities trying to make sense of all these new guidelines, the good news is that many of the recommendations relate to protection of data with the goal of “end-to-end” encryption. Here is a summary of how the initiatives relate—and how they are, in fact, entirely complementary:

  • The SPVA document is the first to cover what should be encrypted “end-to-end,” general requirements of how it should be encrypted and the tamper-resistant environment of the POS. This document is an important step forward, but it contains only voluntary guidelines at this stage.
  • The new PCI PTS-POI Secure Reading and Exchange of Data (SRED) requirements module gives POI vendors a clear set of security criteria for the protection of account data that they must build and test against - a critical first step to establishing a secure “end-to-end” encryption infrastructure, although it does not provide specific details of the methods or encryption technology that POI vendors must use for protecting data.
  • The ASC X9 working group intends to deliver a standard (X9.119) with specific security requirements for the protection of sensitive payment data using encryption and tokenization methods - a vital piece in defining what and how sensitive information should be protected from a standards body with representation from a broad spectrum of the financial services industry.

We can perhaps expect the SPVA document (which already refers to the PCI PTS-POI predecessor specification) and PCI PTS-POI to be updated in time to refer to the X9.119 standard, since they both already reference other X9 standards related to key management and encryption technology, thereby completing the circle.

It is interesting to note that not all the data security documents published so far specify a Tamper Resistant Security Module (TRSM) for the protection of keys and sensitive cardholder data. However, a recent study showed that Qualified Security Assessors (QSAs), who audit the compliance of retailers and acquirers to meet PCI-DSS regulations, do recognise the value of hardware security in meeting regulations—81 percent of QSAs surveyed recommend or require Hardware Security Modules (HSMs) to manage data protection.

If the actions by all these various groups seem to be overkill, it is important to remember that the ultimate goal is to secure payment card information, which is in the best interest of consumers, merchants and all other entities involved in the payments card industry. With a bit of understanding about how each set of guidelines overlaps, proper controls can be implemented to satisfy the best-practices recommended by each document. Given the ever-present threat of card fraud, such efforts are vital.