In light of recent Payment Card Industry Security Standards Council recommendations regarding advanced encryption, acquirers and processors are giving greater attention to the hardware-security module used to protect card data while transactions are processed, a technician who specializes in security devices suggests.
The council may not require the modules to comply with PCI regarding encryption, but card processors and merchant acquirers should ensure they do, Jose Diaz, director of technical development for France-based Thales e-Security Inc., tells ISO&Agent Weekly.
Hardware-security modules serve as the “lock box” of a transaction-processing system, and processors most often use them near the back end of their network servers. Depending on their size, retail merchants using advanced encryption also may place the modules near cash registers or mobile card-swipe devices on the front end of a PIN-payment system. Merchants accepting only credit cards also could have a module built in to the keyboard on a cash register, Diaz says.
In the past, incorporating a module the major card brands supported was a challenge for equipment vendors–and a concern for card issuers fearing merchant security breaches–because neither Visa Inc. nor MasterCard Worldwide provided module-certification programs, Diaz says.
“There were only some recommendations and general standards to follow, but no detailed program to ensure security compliance,” Diaz says.
Established by the major card brands, the PCI council created a certification process for hardware security modules the card schemes supported in April 2009. The council established new recommendations in September for module use in the advanced, or so-called “end-to-end,” encryption process, Diaz adds.
Before the PCI Data Security Standard-compliance testing, acquirers and processors relied on Federal Information Processing Standardization compliance, which did not fully address hardware security modules, Diaz says.
The federal testing confirms the module is tamper-proof and can perform general data encryption, but PCI testing addresses such necessary payments functions as encryption, decryption, key management, vendor use of algorithms for encryption and protocols for use in ATM networks, Diaz says.
Acquirers and processors seeking a tamper-resistant security module should obtain PCI and federal certifications, but as advanced encryption takes hold, the PCI compliance will be most critical, he adds.
Thales provides payShield9000, a PCI-compliant module that processors can monitor remotely, the company stated in a press release.
Acquirers should assess their merchants’ situation when considering a hardware-security module and its compliance-testing process to ensure it is appropriate, Brian Riley, senior research director and analyst with Needham, Mass.-based TowerGroup, tells PaymentsSource.
“There is no doubt that a hardware-security module really creates a high level of cryptographics, but it’s not likely that the guy running Joe’s Deli is going to need it,” Riley says. “But [an acquiring and processing] company like First Data Corp. would need better protection, and they have it.”
Hardware-security modules in a health card-industry payments system become even more important because Health Insurance Portability and Accountability Act information might be combined with credit card data in a patient file, Riley suggests.
But retail merchants would be more likely to question whether the work of the module was redundant in a system that had other protections for data, he adds.
When the PCI council announced its hardware recommendations for advanced encryption, security experts and vendors reminded acquirers and merchants that their security issues were not altogether solved.
PCI established the advanced encryption recommendations, with an emphasis on hardware-security modules as part of its process in gathering feedback from participating organizations to determine the most pressing security needs in the industry.
Diaz contends hardware-security modules always will have a place in data security because software, or the advancement of cloud computing, too often leaves data “out in the open.”
Other security experts indicate advanced encryption will remain a key security tool acquirers can offer to merchants.
