Efforts to create a common set of requirements for so-called “end-to-end” encryption moved forward last week when the Secure POS Vendor Alliance released its End-To-End Encryption Security Requirements.
The standard, which addresses such elements as which data should be encrypted and how to physically secure point-of-sale terminals, is “more of a carrot than a stick approach,” Dave Faoro, chairman of the alliance’s encryption technical working group, tells PaymentsSource.
Faoro’s hope is that organizations ambivalent to this type of advanced encryption because of the lack of an industrywide definition will see the requirement as a good idea.
“This supplies a baseline,” says Faoro, who also is chief security officer and vice president at VeriFone Systems Inc., a San Jose, Calif.-based POS-terminal maker.
VeriFone, along with competitors Hypercom Corp. of Scottsdale, Ariz., and France-based Ingenico S.A., formed the trade group in April 2009 as a way to develop common methods to measure payment-device security.
Companies incorporating the alliance’s encryption standard will have to submit their products to an accredited lab, Faoro says. Selection of the labs is under way.
“This is a step forward and hopefully will put pressure on other bodies in the industry to take some action,” Robert O. Carr, CEO and chairman of Heartland Payment Systems Inc., tells PaymentsSource. Carr also is the associate member director of the alliance.
“This will be a catalyst to continue to bring the industry together and improve security technology for merchants,” Carr says. This type of requirement “would have been nice a long time ago, but it is done now,” he says.