Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:10 PM
Connect Directly

Payment Systems Group Issues End-To-End Encryption Guidelines

POS vendor group rolls out requirements for encrypting card data, ahead of PCI group

A point-of-sale vendor-led group today issued guidelines for end-to-end encryption that could provide a glimpse into the shape of cardholder data protection.

The Secure POS Vendor Alliance (SPVA) is aiming these guidelines at vendors of these products, the merchants who buy and use them, and payment processors. The document defines what data should be encrypted during transmission, key management, physical and logical security for tamper-resistant security modules, and the monitoring and management of encryption systems.

SPVA's encryption guidelines for payment systems come on the heels of new requirements by the PCI Security Standards Council (SSC) for PIN transaction device vendors, which were released earlier this month. PTS Version 3.0 is a streamlined version of the PCI's requirements in POS PIN entry devices, encrypting PIN pads, and unattended payment terminals. It also adds modules for testing the secure reading and encryption of cardholder data, called Secure Reading and Exchange of Data (SRED).

The next version PCI DSS is due in October. The PCI Standards Council plans to separately provide guidance on end-to-end encryption of cardholder data, as well as on tokenization and chip-and-pin cards, officials there say.

So how do SPVA's guidelines jive with PCI's current and future ones?

"I expect huge correlation and alignment here," says Dave Faoro, chair of the SPVA end-to-end encryption technical working group and also a member of the PCI board of advisers. "We're looking at it to make sure we are not missing anything. If there are any conflicts, I know I'm going to hear about it."

SPVA's members includes Hypercom, Ingenico, VeriFone, Atos Worldline, Heartland Payment Systems, Chase Paymentech, Radiant Systems, and Voltage Security.

Faoro, who is vice president and CSO at VeriFone, one of the co-founders of SPVA, says his working group gave the PCI Standards Council a copy of SPVA's guidelines (PDF) as well. "PCI DSS will probably be less specific than we are in our document," he says, referring to the upcoming version of PCI DSS. "There's nothing out there right now" besides the SPVA document, so he expects its efforts to ultimately dovetail with that of PCI.

But according to a PCI executive, SPVA's work won't become a supplement to PCI DSS.

"The PCI Security Standards Council applauds all efforts designed to educate merchants and others in the payment chain on the necessity of protecting payment card data, and we appreciate that the SPVA has brought forward a document exploring point-to-point encryption in an effort to reduce compliance validation scope for merchants. However, these are recommendations and not a supplement to the PCI DSS," says Troy Leach, chief technology officer for the PCI Security Standards Council.

"The Council will soon provide guidance on emerging technologies, including point-to-point encryption. Already, the recently released PIN Transaction Security requirements (PTS) that include a module for Secure Reading and Exchange of Data (SRED) provides a standard for encryption of account data at the originating endpoint, with more guidance for implementation to follow later this year."

And PCI SSC "will provide clear direction for maintaining the integrity and confidentiality of account data," he adds.

According to SPVA, end-to-end encryption is the transmission of cardholder data in an encrypted form from when it's first scanned or presented and in such a way that the data isn't seen in plain text until it's decrypted.

SPVA's document also says card numbers, track data, and security codes all must be encrypted, and it includes magnetic strip, smart card, contactless, and manual entry cardholder data. It also specifies the detection and monitoring of encryption systems, as well as using hardware security modules. "If you can't trust the encryption, you can't trust the data," Faoro says.

"There needs to be detection and monitoring of your encryption system. If you have locks on the door, when it opens up, bad guys go through those locks and an alarm should sound," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
Cross Site Scripting (XSS) in Group Office CRM 6.4.196 via the SET_LANGUAGE parameter.
PUBLISHED: 2021-04-14
A Server-Side Request Forgery (SSRF) vulnerability in Group Office 6.4.196 allows a remote attacker to forge GET requests to arbitrary URLs via the url parameter to group/api/upload.php.
PUBLISHED: 2021-04-14
The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker with l...
PUBLISHED: 2021-04-14
The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker wi...
PUBLISHED: 2021-04-14
In Deark before 1.5.8, a specially crafted input file can cause a NULL pointer dereference in the dbuf_write function (src/deark-dbuf.c).