-
If a merchant plans to use advanced data encryption as a credit card data security measure, the Payment Card Industry Security Standards Council now has some guidelines for how best to go about it.
September 15
Acquirers and processors are giving greater attention to the hardware-security module used to protect card data while transactions are processed.
Hardware-security modules serve as the "lock box" of a transaction-processing system. Processors most often use them near the back end of their network servers. Depending on their size, retail merchants using advanced encryption also may place the modules near cash registers or mobile card-swipe devices on the front end of a PIN-payment system. Merchants accepting only credit cards also could have a module built into the keyboard on a cash register.
The Payment Card Industry Security Standards Council may not require the modules to be compliant with the PCI data security standard's rules on encryption, but card processors and merchant acquirers should ensure they are, says Jose Diaz, director of technical development for the French company Thales e-Security Inc.
In the past, incorporating a module that the major card brands supported was a challenge for equipment vendors — and a concern for card issuers fearing merchant security breaches — because neither Visa Inc. nor MasterCard Inc. provided module-certification programs, Diaz says.
"There were only some recommendations and general standards to follow, but no detailed program to ensure security compliance," Diaz says.
The PCI council created a certification process for hardware security modules supported by the card networks in April 2009. The council established new recommendations in September for module use in the advanced, or so-called "end-to-end," encryption process, Diaz says.
Before the payments industry began compliance testing under the PCI data security standard, acquirers and processors relied on Federal Information Processing Standardization compliance, which did not fully address the use of hardware security modules in the payments industry, Diaz says.
The federal testing confirms the module is tamper-proof and can perform general data encryption, but PCI testing addresses such necessary payments functions as encryption, decryption, key management, vendor use of algorithms for encryption and protocols for use in ATM networks, Diaz says.
Acquirers and processors seeking a tamper-resistant security module should obtain PCI and federal certifications, but as advanced encryption takes hold, PCI compliance will be the most critical, he says.
Thales provides payShield9000, a PCI-compliant module that processors can monitor remotely, the company said in a press release.
Acquirers should assess their merchants' situation when considering a hardware-security module and its compliance-testing process to ensure it is appropriate, says Brian Riley, senior research director and analyst with TowerGroup.
"There is no doubt that a hardware-security module really creates a high level of cryptographics, but it's not likely that the guy running Joe's Deli is going to need it," Riley says. "But [an acquiring and processing] company like First Data Corp. would need better protection, and they have it."
Retail merchants would be likely to question whether the work of the module was redundant in a system that had other protections in place for data, he says.
Hardware-security modules always will have a place in data security because software, or the advancement of cloud computing, too often leaves data "out in the open," Diaz says.
