By Jim Daly
With malware and hacker attacks on payment card-accepting devices increasing in sophistication, the PCI Security Standards Council has announced updated rules for protecting such devices.
“The updates are designed to stay one step ahead of criminals who continue to develop new ways to steal credit and debit card data from cash machines, in-store and unattended terminals, and mobile devices used for payment transactions,” the Wakefield, Mass.-based PCI Council said in a recent news release. The changes are included in the new Version 5.0 of the Council’s standards dubbed the “PIN Transaction Security (PTS) Point-of-Interaction (POI) Modular Security Requirements.”
One of the Council’s chief aims is to prevent physical tampering and the insertion of malicious software that can capture cardholder data from payment-accepting devices, according to Troy Leach, chief technology officer at the PCI Council, whose rules are mandatory for card-accepting merchants, payment processors, and vendors that handle card data. Fraud investigators also are seeing more attempts to break the encryption of payment data, which has become common in recent years at the point of sale and in data transmission in the wake of big data breaches at retailers and payment processors.
“With the increased use of encryption to protect payments, next-generation payment technology, like future point-of-interaction devices, must address the advancement of criminal attacks that will attempt to break the cryptography through means such as differential power analysis and similar techniques,” Leach says in an email to Digital Transactions News. “The next version of POI Version 5 addresses these concerns against current and future threats.”
Differential power analysis is a sophisticated technique that attempts to obtain the electronic keys and bypass other protections in an encrypted system by analyzing power consumption in a microprocessor. An academic paper on the subject from Oregon State University says a “high level of technical skill in several fields” is needed to complete a successful DPA, “yet this can be performed using a few thousand dollars of standard equipment.”
Leach adds that “there is a growing diversity among payment devices and the types of attacks that may be successful,” so the updated rules reflect the varying time and expertise needed to carry out a successful physical attack on a POI device to steal cardholder data.
The revised rules also require that payment-accepting devices support firmware that can be updated. The intent is to get the newest changes in data-protection systems such as Transport Layer Security (TLS, the successor to the once widely used Secure Sockets Layer encryption system for Internet communications) to the front lines as soon as possible.
“This provides device vendors and others the ability to address logical controls such as security protocols (e.g., TLS), operating systems and other logical-based protections offered by POI devices, and evolve as threats and those base protections change,” says Leach.
A summary of the new PTS/POI rules changes can be found here.
The decade-old PCI Council administers the main Payment Card Industry data-security standard and its affiliated rules sets, including the PTS/POI standards. The Council will have its annual North America Community Meeting for payment-card security managers and executives next week in Las Vegas.