Efforts to create a common set of requirements for so-called “end-to-end” encryption moved forward last week when the Secure POS Vendor Alliance released its End-To-End Encryption Security Requirements.
The standard, which addresses such elements as which data should be encrypted and how to physically secure point-of-sale terminals, is “more of a carrot than a stick approach,” Dave Faoro, chairman of the alliance’s encryption technical working group, tells ISO&Agent Weekly.
Faoro’s hope is that organizations ambivalent to this type of advanced encryption because of the lack of an industrywide definition will see the requirement as a good idea.
“This supplies a baseline,” says Faoro, who also is chief security officer and vice president at VeriFone Systems Inc., a San Jose, Calif.-based POS-terminal maker.
VeriFone, along with competitors Hypercom Corp. of Scottsdale, Ariz., and France-based Ingenico S.A., formed the trade group in April 2009 as a way to develop common methods to measure payment-device security.
Companies incorporating the alliance’s encryption standard will have to submit their products to an accredited lab, Faoro says. Selection of the labs is under way.
“This is a step forward and hopefully will put pressure on other bodies in the industry to take some action,” Robert O. Carr, CEO and chairman of Heartland Payment Systems Inc., tells ISO&Agent Weekly. Carr also is the associate member director of the alliance.
“This will be a catalyst to continue to bring the industry together and improve security technology for merchants,” Carr says. This type of requirement “would have been nice a long time ago, but it is done now,” he says.
