An organization that develops technical standards for the financial industry is working to develop a standard for...
protecting sensitive payment card data in transit.
The Accredited Standards Committee X9 Inc., based in Annapolis, Md., is preparing to launch its "Protection of Sensitive Card Data Between Device and Acquiring System" initiative. ASC X9, which is accredited by the American National Standards Institute, has developed industry security standards for ATMs and other financial systems.
The goal is to develop an open standard for encrypting cardholder data at the merchant point-of-sale terminal and keeping it encrypted as it's transferred to the processing system of the merchant's acquiring bank, said Sid Sidner, director of security engineering at ACI Worldwide Inc., a New York-based provider of electronic payments software. There are proprietary solutions for providing that encryption but no standards, said Sidner, who is leading the initiative.
The project addresses an area not covered by the PCI Data Security Standard, which has encryption requirements for stored data and for data transmitted over public networks, he said.
"If we could find a way to encrypt the data at the payment terminal and keep it encrypted back to the acquiring bank, then we've come up with a way to be even stronger than what the PCI DSS requires," he said, adding that the data would be protected on merchant internal networks.
Heartland Payment Systems Inc. is hosting a preliminary planning workshop on the ASC X9 standards effort in Texas on Thursday. The Princeton, N.J.-based payment processor, which said in January that its systems were breached last year, announced the initiative last week. Bob Carr, Heartland chairman and CEO, has been advocating "end-to-end" encryption in the wake of the breach.
About 55 people were scheduled to attend the meeting either in person or via phone, Sidner said, and they represent payment software providers, POS vendors, hardware security module makers, merchants and cryptographic consultants. The results will be presented at ASC X9's initial standards development meeting led for the first week of June.
The encryption standard would not require an overhaul of the entire payment network, and should be a relatively inexpensive way for merchants to harden their systems, Sidner said. "We're basically talking software changes all the way up the line between the POS terminal and the acquiring bank," he said.
Ultimately, the payment card brands would need to approve such a standard, he said.
Asked about the ASC X9 project, Bob Russo, general manager of the PCI Security Standards Council, which maintains the PCI DSS, said in a prepared statement that the council is "committed to building an ecosystem of payment security supporters and advocates to secure credit card transactions globally."
"Initiatives that look at new approaches to protecting sensitive payment cardholder data are a good thing," he said. "Heartland is a participating organization of the council and we value their feedback and contributions regarding PCI Standards. The council welcomes any positive steps to protect all stakeholders in the payment process."
Others, however, expressed some skepticism about the standards effort. David Taylor, founder of the PCI Knowledge Base and research director of the PCI Security Vendor Alliance, said it appears to be -- in theory -- an extension of the PCI DSS. It will likely be two or three years before a standard is completed, he added.
"Of course, if you're a card brand or a card processor, being able to say that you are 'actively working on a standard to improve credit card security' is pretty handy if, say, a Barney Frank or a Christopher Dodd should just happen to summon you to testify before a committee investigating the industry," he wrote in an email.
Randall Gamby, an independent information security analyst based in New York, said a new encryption standard wouldn't necessarily fix the breach problem. He added that it could also require merchants to buy or lease new POS devices, which would be an economic burden for smaller retailers.