Merchants and processors may find Payment Card Industry Security Standards Council requirements for the use of advanced encryption hardware to secure card data useful, but encryption alone is not security’s “silver bullet,” fraud-prevention vendors say.
With the council holding its annual meeting with participating organizations in Scottsdale, Ariz., this week, much discussion likely will center on its recently released requirements for the best use of advanced encryption, known in the industry as point-to-point encryption (
Vendors of encryption, tokenization or other data-security methods express an ongoing need for various layers of data protection, but each has differing views on the hardware requirements for encryption use.
The council’s requirements were needed because the “marketplace had run ahead of the council,” with vendors selling an array of encryption products that left merchants and processors wanting to know which ones were compliant, says Steve Brunswick, strategy manager for Paris-based Thales e-Security Inc.
At the council meeting, European bank representatives likely will continue their push for advanced encryption to be considered the only security measure needed to comply with the PCI Data Security Standard, Simon Gamble, co-founder and business development director of Auckland, New Zealand-based Mako Networks Ltd., tells PaymentsSource.
“Because they have the EMV smart card (securing data in the card’s computer chip) in Europe, they feel they only need that and encryption to be compliant,” Gamble says. “But I agree with the council in saying that we need a layered approach to security and that there has to be several measures, and all must be compliant.”
However, merchants view payment-security breaches as a problem for banks and card processors to resolve, but banks should not dictate security measures because they tend to view the issue from the standpoint of lower compliance costs rather than embracing best standards, Gamble contends.
Regardless of the debate about whether advanced encryption can be a do-all, end-all security option, Brunswick contends the council’s requirements were significant because for the first time they stressed the importance of the hardware security module.
Under the requirements, data should be securely decrypted with the module–a small box usually located near a payment system network server–on the back end of the encryption process, Brunswick says.
“It’s not a surprising part of the requirements, but it is important because that is the way a PIN should be stored anyway,” Brunswick says.
The requirements also emphasize using separate keys to encrypt a PIN and when transferring that data to a hardware security module, Brunswick says.
A hardware security module may be the most effective security tool, but Brunswick also realizes software applications will drive some data encryption security methods. As such, the council will need to review and advise merchants on which software complies.
Ulf Mattsson, chief technology officer for Stamford, Conn.-based Protegrity, a tokenization and encryption vendor, expresses concern that the hardware security module requirement will restrict merchants who may not want to pay $400 for a module and vendors who may have to change their security programs based on hardware requirements.
Mattsson believes a fully software-based or a hybrid software/hardware approach is more urgent for the industry, along with guidance for mobile payments and securing payments in cloud and virtualized environments.
Ultimately, organizations must work to protect data flow in many layers to cover various payment methods, Mattson says.
What do you think about this? Send us your feedback. Click
