PCI Update Gets Mixed ReviewsExperts Call POS Revision 'a Good Start,' But Reserve Judgment
The revised standard is meant to enhance and prevent payment card fraud on devices that accept payment transactions, and will cover everything from retail point of sale card readers to unattended payment terminals at gas stations and parking lots.
But does the standard go far enough to secure the merchant endpoint?
"We'll have to give this some time and see," says Dave Shackleford, a security expert at Sword & Shield, a computer and network security firm in Atlanta, GA. "It's a great start, combining all of the guidance under one program and simplifying assessment and evaluation of PIN entry devices. This is ultimately a good thing, since the assessment process was very fragmented before."
Inevitably, breaches will still occur, says Dr. Anton Chuvakin, a noted PCI expert. "Well-resourced cybercrime operations can still manage to get their hands on the card data, and that probably always will be the case," he says. "This is the reality of information security, not just today's but probably tomorrow's as well."
'Helping, Not Hindering Security'
Up to now there were three separate sets of requirements for Point of Sale PIN Entry Devices (PED), Encrypting PIN Pads (EPP), and Unattended Payment Terminals (UPT). This version of the standard simplifies the testing process and eliminates overlap of documentation by providing one modular security evaluation program for all terminals and a single reference listing of approved products.
The latest changes will result in an increased level of security at the endpoint, says Bob Russo, general manager, PCI Security Standards Council. "PTS (PIN Transaction Security) is all about securing the end points - or the point of interaction, as the Council calls it." Using a secure device from the PCI-SSC approved listings means that at the point of interaction - when a card is swiped - that data is secure. "Having this in place will mean you are helping - not hindering - your security efforts," Russo says.
For merchants, Russo says, the key is "to make sure that however you are handling credit card data, you're doing it securely." Merchants looking for a secure payment application can find a list of PA-DSS approved applications on the PCI Security Standards Council website. "If you're using a POS device - then make sure it's on the list on the Council's website," he says. "This simplicity will help drive even greater awareness and adoption of the standards and ultimately secure more payment transactions."
The Council's PTS standard offers a simplified process and one- stop shopping for secure devices. "Vendors now have just one set of requirements for testing their products against, and they have until April 30, 2011, when the previous set of requirements will sunset to do so," Russo says. With the new modular approach - that breaks out by specific functionality - they can easily determine which components they need to test, evaluate and follow.
Russo says anytime a new standard comes out, it raises awareness around the need to secure card data. "With POS security being such a hotspot for previous breaches, we're hoping the new requirements will help people realize that the end points, the point of interaction, must be secured," he says. PTS 3.0 makes it easier for both manufacturers of POS devices and their customers to make sure they are securing sensitive card data at the point of interaction.
Changes to PCI-DSS and PA-DSS are still being worked on by the Council, and revised standards are expected to be announced later in the year.
PCI and security expert Branden Williams, Director of the Security Consulting Practice at RSA, the security division of EMC, says he sees unifying the grouping of PTS standards into one being beneficial to companies trying to understand how their device should be certified. But it may make the certification process more complicated, as all three sets of requirements are represented in a single document. "I do like them being unified if nothing else than to raise awareness on the entire set of devices subject to this type of certification," Williams says.
Avivah Litan, a Gartner security analyst, sees the new standard is a good step in the right direction, but says it doesn't answer the real problems and issues confronting industries that accept payments on unattended payment terminals - particularly enforcement. "To date, the enforcement of PTS standards has been driven by Visa," she says. "MasterCard has not been involved in enforcing the PTS standards, for some reason."
Shackleford says merchants should pay attention to devices that support the SRED (Secure Reading and Exchange of Data) module, which should ensure strong encryption at POS devices and other terminal types. "Although not guaranteed point-to-point encryption, this is a good starting point and may ultimately enable that for many merchants who want to ensure they're secure," he says. "This standard won't prevent some of the physical compromises we've seen with these devices, where terminals are swapped out with 'hacked' ones, but could definitely go a long way" to preventing attacks.