Payment Systems Group Issues End-To-End Encryption Guidelines

A point-of-sale vendor-led group today issued guidelines for end-to-end encryption that could provide a glimpse into the shape of cardholder data protection.

The Secure POS Vendor Alliance (SPVA) is aiming these guidelines at vendors of these products, the merchants who buy and use them, and payment processors. The document defines what data should be encrypted during transmission, key management, physical and logical security for tamper-resistant security modules, and the monitoring and management of encryption systems.

SPVA's encryption guidelines for payment systems come on the heels of new requirements by the PCI Security Standards Council (SSC) for PIN transaction device vendors, which were released earlier this month. PTS Version 3.0 is a streamlined version of the PCI's requirements in POS PIN entry devices, encrypting PIN pads, and unattended payment terminals. It also adds modules for testing the secure reading and encryption of cardholder data, called Secure Reading and Exchange of Data (SRED).

The next version PCI DSS is due in October. The PCI Standards Council plans to separately provide guidance on end-to-end encryption of cardholder data, as well as on tokenization and chip-and-pin cards, officials there say.

So how do SPVA's guidelines jive with PCI's current and future ones?

"I expect huge correlation and alignment here," says Dave Faoro, chair of the SPVA end-to-end encryption technical working group and also a member of the PCI board of advisers. "We're looking at it to make sure we are not missing anything. If there are any conflicts, I know I'm going to hear about it."

SPVA's members includes Hypercom, Ingenico, VeriFone, Atos Worldline, Heartland Payment Systems, Chase Paymentech, Radiant Systems, and Voltage Security.

Faoro, who is vice president and CSO at VeriFone, one of the co-founders of SPVA, says his working group gave the PCI Standards Council a copy of SPVA's guidelines (PDF) as well. "PCI DSS will probably be less specific than we are in our document," he says, referring to the upcoming version of PCI DSS. "There's nothing out there right now" besides the SPVA document, so he expects its efforts to ultimately dovetail with that of PCI.

But according to a PCI executive, SPVA's work won't become a supplement to PCI DSS.

"The PCI Security Standards Council applauds all efforts designed to educate merchants and others in the payment chain on the necessity of protecting payment card data, and we appreciate that the SPVA has brought forward a document exploring point-to-point encryption in an effort to reduce compliance validation scope for merchants. However, these are recommendations and not a supplement to the PCI DSS," says Troy Leach, chief technology officer for the PCI Security Standards Council.

"The Council will soon provide guidance on emerging technologies, including point-to-point encryption. Already, the recently released PIN Transaction Security requirements (PTS) that include a module for Secure Reading and Exchange of Data (SRED) provides a standard for encryption of account data at the originating endpoint, with more guidance for implementation to follow later this year."

And PCI SSC "will provide clear direction for maintaining the integrity and confidentiality of account data," he adds.

According to SPVA, end-to-end encryption is the transmission of cardholder data in an encrypted form from when it's first scanned or presented and in such a way that the data isn't seen in plain text until it's decrypted.

SPVA's document also says card numbers, track data, and security codes all must be encrypted, and it includes magnetic strip, smart card, contactless, and manual entry cardholder data. It also specifies the detection and monitoring of encryption systems, as well as using hardware security modules. "If you can't trust the encryption, you can't trust the data," Faoro says.

"There needs to be detection and monitoring of your encryption system. If you have locks on the door, when it opens up, bad guys go through those locks and an alarm should sound," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.