Protecting card data at the point of sale

There is no shortage of security standards when it comes to protecting the payment transaction life cycle.

Standards to protect PINs at the point of sale (POS), for example, have been in place for a number of years, but it is equally important to protect other types of cardholder data such as the primary account number (PAN) across the entire transaction process.

PCI security group speaks out on encryption

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

There is no shortage of security standards when it comes to protecting the payment transaction life cycle.

Standards to protect PINs at the point of sale (POS), for example, have been in place for a number of years, but it is equally important to protect other types of cardholder data such as the primary account number (PAN) across the entire transaction process.

PCI security group speaks out on encryption

There are three main initiatives underway today that apply to the protection of this data and aim to improve overall payment card security at the POS, between the POS and the acquiring bank and beyond.

While the POS security standard landscape may seem complicated, when these various initiatives are broken down and analyzed, commonalities can be identified. What's more, the implementation of single security technologies, such as end-to-end encryption or tokenization, can support compliance across all three initiatives.

Given the complexity of the payment security standards environment, combined with the practical requirement to comply, greater clarification is needed to ensure that POS vendors, retailers/merchants and financial services organizations understand how each of these initiatives relate to one another and ultimately how they can help keep sensitive information safe. So, let's look at these three different items in some more detail.

The Secure POS Vendor Alliance's (SPVA) recent document on "End-to-End Encryption Security Requirements" is designed to help make transactions more secure. The SPVA is a nonprofit organization that works with the multiple stakeholders of the payment value chain. In its own words, the SPVA aims to develop an end-to-end security framework and to enhance security elements of payment solutions, which protect cardholder information and defend merchants and acquirers against security breaches, while reducing fraud and lowering risk for all electronic payment stakeholders. Its end-to-end security guidelines overlap with other recommendations from at least two other entities. Fortunately for retailers, so too do the systems required to follow them.

The efforts of the SPVA parallel the work of the ASC X9F6 Standards Working Group, which is working on a new standard aimed at protecting sensitive payment data. ASC X9 is an ANSI Accredited Standards Committee (ASC) made up of members from the financial services industry.

Meanwhile, the Payments Card Industry Security Standards Council (PCI-SSC), which is managed by major payment card schemes like American Express, JCB, Discover, MasterCard and Visa, recently issued revised requirements of its own. These new guidelines bring together PIN entry devices (including POS devices) under a common document known as PCI PTS-POI (PCI PIN Transaction Security Point of Interaction). The new document now also includes requirements for interfacing with open networks as well as the protection of cardholder account data. It is related to another set of requirements from PCI-SSC called PCI-DSS, which deals with cardholder data security in the payment transaction process (not only within the POS).