The Secure POS Vendor Alliance, an organization founded by payment-terminal makers Hypercom Corp., Ingenico S.A. and VeriFone Systems Inc., has released standards requiring the terminal industry to handle payment devices properly from the moment they are produced to when they are loaded with customer encryption keys.
The new requirements are designed to increase accountability for payment-device vendors, manufacturers, key injection providers responsible for the initial loading of payment devices, acquirers and security-audit firms, the alliance said in a June 15 press release.
“The current standards in the post-manufacturing stage cannot provide complete authenticity, and we feel that we have identified a list of [provisions] to improve security,” Roberto Fananas, Hypercom security manager, said in the release.
The guidelines require the industry to store and transport payment devices safely, transfer devices properly from manufacturers to the companies that perform the initial key load, ensure devices have secure mechanisms for authenticating their identity, and initiate processes to identify and respond to security incidents.
In addition, the guidelines require the industry to ensure vendors performing outsourced functions in the post-manufacturing phase meet security requirements and to perform audits at planned intervals to ensure security requirements are met.
The working group that wrote the guidelines included representatives of Atos Worldline S.A./N.V, Heartland Payment Systems Inc., Chase Paymentech LLC, Radiant Systems Inc. and Voltage Security Inc., the release said.
