The Green Sheet Online Edition
July 28, 2008 • Issue 08:07:02
PCI SSC adds new payment device types
As part of its continuing effort to strengthen cardholder data security, the Payment Card Industry (PCI) Security Standards Council (SSC) added two new payments industry device types to its PCI PIN Entry Device program.
Unattended payment terminals (UPTs) - such as self-service vending machines, kiosks and automated fuel pumps - and hardware security modules (HSMs) can now undergo the testing and approval program to ensure they comply with industry standards for securing sensitive data at all points in the transaction process.The inclusion of UPTs and HSMs in the PCI PED security requirements reflects an expansion in the ways consumers make payments at the POS.
Simplified and streamlined
The PCI council provides vendors with one authority to consult for testing and certification and allows merchants access to a broad repository of information on approved devices.
"You can't expect a merchant who is looking for a payment application for a POS device to do research and ring vendors to find out if they've gone through an appropriate certification process," said Tim Cranny, Chief Executive Officer of Panoptic Security Inc., a PCI compliance solutions provider. "One of the big elements of the PCI's addition of these devices is to simplify and streamline the process." Merchants can visit the council's Web site to access documents containing the requirements and evaluation procedures necessary to validate compliance, a list of devices that meet compliance criteria, and the steps for submitting a device and obtaining approval.
Manufacturers are responsible for submitting their devices to council-approved labs for evaluation and approval. Thus, when merchants and other stakeholders are looking for solutions, they can choose from PCI-approved products that meet a defined set of minimum security requirements.
Safe and secure
"PIN entry devices go well beyond the typical POS terminals we are all familiar with, and we are continually expanding into more areas," said Bob Russo, General Manager, PCI SSC. "Any device that processes personal identification numbers is an important link in the transaction chain. "By including both UPTs and HSMs in the PED security requirements, the council is reaffirming its commitment to developing additional standards to meet the needs of the industry and to ensure continued safety and security for consumers." HSMs are used in support of acquiring and issuing activities, including:
- Generating data used to personalize both mag stripe and smart chip cards
- Supporting the secure generation and use of cryptographic keys
- Securing the processing and conveyance of cardholder PINs during transactions
- Verifying PINs to authorize payment transactions
"One of the problems with the Internet is that it's not too difficult to eavesdrop on communications," Cranny said. "So basically HSM is a closed box cryptographic device that ensures the confidentiality and the integrity of those communications. What [PCI] is doing here with the introduction of these standards is just establishing what constitutes a good crypto setup for these communications."
Welcoming and beneficial
The PCI SSC encourages UPT and HSM manufacturers to join the council as participating organizations. "Since you're bringing [UPTs and HSMs] under PCI, you actually want these manufacturers involved in the process, because the real benefit of being on the council is being engaged in the process and being able to constructively shape the conversation and the development of standards," Cranny said. He likens the new parameters for UPT and HSM compliance to an automobile maker's obligation to make cars "road-worthy." For more information, visit www.pcisecuritystandards.org, or e-mail the PCI council at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.