Monday, July 7, 2008
As part of its continuing effort to strengthen cardholder data security, the Payment Card Industry (PCI) Security Standards Council (SSC), which manages the PCI Data Security Standard (DSS), PCI PIN Entry Device (PED) security requirements and the Payment Application DSS, added two new payments industry device types to the PCI PED program.
Unattended payment terminals (UPTs), such as self-service vending machines, kiosks and automated fuel pumps, and hardware security modules (HSMs), which are cryptographic devices in payment systems, can now undergo the testing and approval program to ensure they comply with industry standards for securing sensitive data at all points in the transaction process.
The inclusion of UPTs and HSMs in the PED security requirements reflects an expansion in the marketplace in the ways consumers make payments at the POS.
The PCI council provides vendors with one authority to consult for testing and certification and allows merchants access to a broader repository of information on approved devices.
"You can't expect a merchant who is looking for a payment application for a POS device to do research and ring vendors to find out if they've gone through an appropriate certification process," said Tim Cranny, Chief Executive Officer of Panoptic Security Inc., a PCI compliance solutions provider. "One of the big elements of the PCI's addition of these devices is to simplify and streamline the process."
According to a spokesperson for the PCI SSC, merchants can visit the council's Web site to access documents containing:
Manufacturers are responsible for submitting their devices to council-approved labs for evaluation and approval. Thus, when merchants and other stakeholders are looking for solutions, they can choose from PCI-approved products that meet a defined set of minimum security requirements.
"PIN entry devices go well beyond the typical POS terminals we are all familiar with, and we are continually expanding into more areas," said Bob Russo, General Manager, PCI SSC. "Any device that processes personal identification numbers is an important link in the transaction chain.
"By including both UPTs and HSMs in the PED security requirements, the council is reaffirming its commitment to developing additional standards to meet the needs of the industry and to ensure continued safety and security for consumers."
HSMs are used in support of acquiring and issuing activities, including the following:
"One of the problems with the Internet is that it's not too difficult to eavesdrop on communications," Cranny said. "So basically HSM is a closed box cryptographic device that ensures the confidentiality and the integrity of those communications. What [PCI] is doing here with the introduction of these standards is just establishing what constitutes a good crypto setup for these communications."
The PCI SSC encourages UPT and HSM manufacturers to join the council as participating organizations. Such membership gives manufacturers an opportunity to review and provide feedback on draft requirements and processes for testing and certifying devices.
"Since you're bringing [UPTs and HSMs] under PCI, you actually want these manufacturers involved in the process, because the real benefit of being on the council is being engaged in the process and being able to constructively shape the conversation and the development of standards," Cranny said.
He likens the new parameters for UPT and HSM compliance to an automobile maker's obligation to make cars "road-worthy."
"Certainly there will be some changes, but this sort of thing has happened a dozen times in the past," he added. "The effect on ISOs is that now there is another filter for being able to sell more stuff.
"Yes, you need to compete on prices and features, but even more important now, as this particular market matures, if you're not on the good list, then you're just out of the running."
For more information on the PCI SSC's compliance requirements for UPTs and HSMs, as well as on how to become a participating organization, visit www.pcisecuritystandards.org , or e-mail the PCI council at email@example.com .
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.