Payment Systems Group Issues End-To-End Encryption Guidelines

POS vendor group rolls out requirements for encrypting card data, ahead of PCI group

Dark Reading logo in a gray background | Dark Reading

A point-of-sale vendor-led group today issued guidelines for end-to-end encryption that could provide a glimpse into the shape of cardholder data protection.

The Secure POS Vendor Alliance (SPVA) is aiming these guidelines at vendors of these products, the merchants who buy and use them, and payment processors. The document defines what data should be encrypted during transmission, key management, physical and logical security for tamper-resistant security modules, and the monitoring and management of encryption systems.

SPVA's encryption guidelines for payment systems come on the heels of new requirements by the PCI Security Standards Council (SSC) for PIN transaction device vendors, which were released earlier this month. PTS Version 3.0 is a streamlined version of the PCI's requirements in POS PIN entry devices, encrypting PIN pads, and unattended payment terminals. It also adds modules for testing the secure reading and encryption of cardholder data, called Secure Reading and Exchange of Data (SRED).

The next version PCI DSS is due in October. The PCI Standards Council plans to separately provide guidance on end-to-end encryption of cardholder data, as well as on tokenization and chip-and-pin cards, officials there say.

So how do SPVA's guidelines jive with PCI's current and future ones?

"I expect huge correlation and alignment here," says Dave Faoro, chair of the SPVA end-to-end encryption technical working group and also a member of the PCI board of advisers. "We're looking at it to make sure we are not missing anything. If there are any conflicts, I know I'm going to hear about it."

SPVA's members includes Hypercom, Ingenico, VeriFone, Atos Worldline, Heartland Payment Systems, Chase Paymentech, Radiant Systems, and Voltage Security.

Faoro, who is vice president and CSO at VeriFone, one of the co-founders of SPVA, says his working group gave the PCI Standards Council a copy of SPVA's guidelines (PDF) as well. "PCI DSS will probably be less specific than we are in our document," he says, referring to the upcoming version of PCI DSS. "There's nothing out there right now" besides the SPVA document, so he expects its efforts to ultimately dovetail with that of PCI.

But according to a PCI executive, SPVA's work won't become a supplement to PCI DSS.

"The PCI Security Standards Council applauds all efforts designed to educate merchants and others in the payment chain on the necessity of protecting payment card data, and we appreciate that the SPVA has brought forward a document exploring point-to-point encryption in an effort to reduce compliance validation scope for merchants. However, these are recommendations and not a supplement to the PCI DSS," says Troy Leach, chief technology officer for the PCI Security Standards Council.

"The Council will soon provide guidance on emerging technologies, including point-to-point encryption. Already, the recently released PIN Transaction Security requirements (PTS) that include a module for Secure Reading and Exchange of Data (SRED) provides a standard for encryption of account data at the originating endpoint, with more guidance for implementation to follow later this year."

And PCI SSC "will provide clear direction for maintaining the integrity and confidentiality of account data," he adds.

According to SPVA, end-to-end encryption is the transmission of cardholder data in an encrypted form from when it's first scanned or presented and in such a way that the data isn't seen in plain text until it's decrypted.

SPVA's document also says card numbers, track data, and security codes all must be encrypted, and it includes magnetic strip, smart card, contactless, and manual entry cardholder data. It also specifies the detection and monitoring of encryption systems, as well as using hardware security modules. "If you can't trust the encryption, you can't trust the data," Faoro says.

"There needs to be detection and monitoring of your encryption system. If you have locks on the door, when it opens up, bad guys go through those locks and an alarm should sound," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights