Vendors providing merchants and processors with advanced encryption for card-data security now have a better idea of what standards the payments industry expects those systems to meet.
The Payment Card Industry Security Standards Council has issued an update to its advanced, or “end-to-end,” encryption requirements for vendors as they relate to hardware they build for merchants, the council announced April 27 (
The council first released its advanced encryption requirements last September in what council leaders called the opening phase in establishing what vendors and merchants must do for the encryption fraud-protection option to be PCI-compliant, Bob Russo, PCI Council general manager, tells PaymentsSource (
The update represents the next phase in establishing encryption requirements because it clarifies previous PCI information and “puts more meat” into explaining what vendors must do when creating systems, Russo says.
Besides providing more guidance for vendors, the updated requirements also provide information for the council’s qualified security assessors regarding testing of encryption services already installed in a payments network, Russo notes.
To coincide with the new information for assessors, the council has scheduled training sessions for assessors May 11 to 13 in Denver and June 25 to 27 in Manchester, England.
By next fall, the council hopes to have a list of validated point-to-point encryption systems that meet PCI standards for posting on the council website, Russo adds.
The use of advanced encryption–the conversion of sensitive customer card data from plain text to an unreadable text form while in transit from the card reader at the point of sale to the security module at the bank processor–remains optional for merchants, Russo says.
However, merchants will benefit from understanding the requirements for vendors because use of a compliant system can reduce their PCI testing and compliance costs, he adds.
Troy Leach, PCI Council chief technical officer, contends the new requirements equip merchants with information they will need when shopping for fraud protection.
“The merchant community needs to be well-equipped to know the truth about a possible sales line from a vendor when it comes to reducing PCI scope,” Leach tells PaymentsSource.
Security responsibility doesn’t go away, even if a vendor touts a system that “keeps card data off the merchant system,” Leach contends.
The vendor still has to show his product is PCI-compliant, and the merchant must understand who is responsible for data security and potential breaches when working with an acquirer, Leach adds.
The updated requirements likely garner a little more industry attention in the wake of a breach, such as the one Global Payments Inc. experienced last month, Russo contends (
“Any breach signals a wake-up call in the industry for merchants and processors, and it sparks an interest in looking for a way to protect themselves,” Russo says.
What do you think about this? Send us your feedback.
