-
Though some have criticized whether the Payment Card Industry data security standard does enough to protect card data, in Europe the standard has become a catalyst for getting companies to take security seriously.
September 28 -
The payment industry's focus on adding encryption at the point of sale to protect card data is counterproductive. MagTek's CEO says that the PCI Council, in pushing advanced encryption,is doing more harm than good.
September 27
Any card-acceptance device can be tested and approved for eligibility to use advanced encryption under an update to the PIN Transaction Security program — even if those devices do not accept PIN transactions.
Such devices could use point-to-point encryption to scramble the text of card data into an unreadable format. The updated requirements that the Payment Card Industry Security Standards Council published Friday are directed at manufacturers of terminals and card-readers to help them build devices, but current equipment can also be tested.
"Basically, we'll be taking any piece of new hardware or existing hardware out there that [users] want to encrypt and be able to test it in our labs to assure it can accept encryption," says Bob Russo, general manager of the PCI Council.
In addition, the requirements and testing now extend to the various methods of accessing credit card data through mobile devices, Russo says.
Merchants using magnetic-stripe readers or card-reader plug-ins will be able to ensure that these types of secure card readers have been tested and approved to encrypt data before it reaches a mobile phone or tablet (such as an iPad), thus reducing the scope of their requirements for compliance with the PCI standard, Russo adds.
The requirement updates resulted from feedback gathered at the recent PCI Council community meeting in Arizona, Russo says.
Device-testing occurs at any of seven PCI labs located in Europe, Asia and North America. If a new device from a manufacturer fails the test, it likely could be remedied with a software fix. If an older device fails and cannot be updated, the merchant might consider buying newer hardware, Russo says.
The updated PIN Transaction Security program requirements and a list of approved devices are posted on the PCI council's website for merchants to review, Russo says.
