Digital Transactions Authoritative, insightful and timely information for payments professionals
The PCI Security Standards Council this week updated its standards governing point-to-point data encryption (P2PE) and card-reading devices for the point of sale, ATMs, kiosks and mobile devices.
One of the key changes in the new Version 2.0 of the P2PE standard will make it easier for security-solutions providers to assemble individual components validated for use in P2PE services. That change will give merchants, depending on their security needs, more options than being forced to choose between vendors’ full-service P2PE packages.
“This prevents vendor lock-in,” Troy Leach, chief technology officer at the Wakefield, Mass.-based PCI Council, tells Digital Transactions News.
A related change also enables vendors to update or add components to an existing, PCI-validated P2PE product without having to re-certify the entire product. “We’ve simplified the [change] process,” says Leach.
Still another change gives merchants more freedom to manage their own data encryption and decryption environments. Because of the technological wherewithal required, management of encryption and decryption processes traditionally has been the domain of third-party vendors. Two large merchants, however, have expressed interest in taking on such functions themselves, according to Leach, and more might in the future.
The PCI Council oversees the main Payment Card Security data-security standard and its related standards governing card-processing software, hardware and security operations. Card-accepting merchants, processors and vendors must meet whichever PCI standards apply to their businesses.
Meanwhile, the “modular security requirements” in the new Version 4.1 of the PIN Transaction Security (PTS) Point of Interaction (POI) standard spell out updated requirements for POS terminals, ATMs and other card-reading devices. They largely apply to hardware manufacturers and testing laboratories, according to Leach.
The update builds on Version 4.0 of the PTS POI standard, which was introduced two years ago. It called for more testing of card-accepting devices and made revisions in security rules for open protocols. Those requirements were meant to ensure that card readers using open security protocols and open communication protocols to access public networks and services did not have vulnerabilities that hackers could exploit.
A new testing requirement in Version 4.1 calls for validating vendors’ documentation of their policies and procedures for complying with PCI device-management rules during the manufacturing process and up to the loading of electronic security keys.
The PCI Council will keep a close eye on those and related issues with the coming of EMV chip cards to the United States, says Leach. “Open protocols and software security within a terminal will continue to be a focus for the PCI Council beyond 2015,” he says.
