News Stay informed about the latest enterprise technology news and product updates.

Organization aims to develop encryption standard for card data

The initiative would create an industry standard for encrypting cardholder data at point-of-sale devices through to back-end processing systems.

An organization that develops technical standards for the financial industry is working to develop a standard for protecting sensitive payment card data in transit.
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The Accredited Standards Committee X9 Inc., based in Annapolis, Md., is preparing to launch its "Protection of Sensitive Card Data Between Device and Acquiring System" initiative. ASC X9, which is accredited by the American National Standards Institute, has developed industry security standards for ATMs and other financial systems.

The goal is to develop an open standard for encrypting cardholder data at the merchant point-of-sale terminal and keeping it encrypted as it's transferred to the processing system of the merchant's acquiring bank, said Sid Sidner, director of security engineering at ACI Worldwide Inc., a New York-based provider of electronic payments software. There are proprietary solutions for providing that encryption but no standards, said Sidner, who is leading the initiative.

Data encryption: Pre-implementation best practices: In this video, Eric Leighninger of Allstate Insurance Co. offers best practices on laying the groundwork for full-disk encryption in your enterprise.

Laptop encryption options: Laptop security is essential for financial firms. In this tip, encryption expert Noah Schiffman explains the different options companies have to secure their laptops.

Look before leaping into database encryption: Encryption is the ultimate mechanism for data protection, but the process of developing an encryption strategy can be daunting.

The project addresses an area not covered by the PCI Data Security Standard, which has encryption requirements for stored data and for data transmitted over public networks, he said.

"If we could find a way to encrypt the data at the payment terminal and keep it encrypted back to the acquiring bank, then we've come up with a way to be even stronger than what the PCI DSS requires," he said, adding that the data would be protected on merchant internal networks.

Heartland Payment Systems Inc. is hosting a preliminary planning workshop on the ASC X9 standards effort in Texas on Thursday. The Princeton, N.J.-based payment processor, which said in January that its systems were breached last year, announced the initiative last week. Bob Carr, Heartland chairman and CEO, has been advocating "end-to-end" encryption in the wake of the breach.

About 55 people were scheduled to attend the meeting either in person or via phone, Sidner said, and they represent payment software providers, POS vendors, hardware security module makers, merchants and cryptographic consultants. The results will be presented at ASC X9's initial standards development meeting led for the first week of June.

SearchSecurity radio:

The encryption standard would not require an overhaul of the entire payment network, and should be a relatively inexpensive way for merchants to harden their systems, Sidner said. "We're basically talking software changes all the way up the line between the POS terminal and the acquiring bank," he said.

Ultimately, the payment card brands would need to approve such a standard, he said.

Asked about the ASC X9 project, Bob Russo, general manager of the PCI Security Standards Council, which maintains the PCI DSS, said in a prepared statement that the council is "committed to building an ecosystem of payment security supporters and advocates to secure credit card transactions globally."

"Initiatives that look at new approaches to protecting sensitive payment cardholder data are a good thing," he said. "Heartland is a participating organization of the council and we value their feedback and contributions regarding PCI Standards. The council welcomes any positive steps to protect all stakeholders in the payment process."

Others, however, expressed some skepticism about the standards effort. David Taylor, founder of the PCI Knowledge Base and research director of the PCI Security Vendor Alliance, said it appears to be -- in theory -- an extension of the PCI DSS. It will likely be two or three years before a standard is completed, he added.

"Of course, if you're a card brand or a card processor, being able to say that you are 'actively working on a standard to improve credit card security' is pretty handy if, say, a Barney Frank or a Christopher Dodd should just happen to summon you to testify before a committee investigating the industry," he wrote in an email.

Randall Gamby, an independent information security analyst based in New York, said a new encryption standard wouldn't necessarily fix the breach problem. He added that it could also require merchants to buy or lease new POS devices, which would be an economic burden for smaller retailers.

Dig Deeper on Network security devices for financial institutions

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.