ASC X9 to Develop Security Standard for Cardholder Data
Accredited Standards Committee X9 Developing New Merchant Data Security Technology Standard
Heartland Payment Systems to Host Planning Meeting for Brainstorming Technical Approaches to Protecting Sensitive Payment Cardholder Data
Princeton, NJ, USA. April 29, 2009. [With additional references]
The Accredited Standards Committee X9 (ASC X9), accredited by the American National Standards Institute (ANSI), is embarking on the development of a new standard to protect cardholder data in the electronic payments industry. ASC X9 develops, maintains and promotes standards for all financial services in the United States and pioneered standards for items including the credit card magnetic stripe and ATM systems.
In advance of formally launching this "Sensitive Card Data Protection Between Device and Acquiring System" initiative, Heartland Payment Systems is hosting a preliminary planning workshop on Thursday, May 7, 2009, in Plano, TX. There, data security experts and industry leaders will brainstorm technical approaches to protecting this data. Ideas generated at this meeting will be presented at ASC X9's initial standards development meeting on June 1-5, 2009 in Foster City, CA.
"This preliminary meeting marks an important step in expediting the development of next-generation data security solutions. Exchanging ideas is critical to the creation of a robust and public standard that protects the security of cardholder data and safeguards consumers and businesses nationwide," said Bob Carr, chairman and chief executive officer of Heartland Payment Systems. Heartland, one of the nation's largest payments processors, is a member of the ASC X9 working group. Carr is a strong proponent of information sharing and end-to-end encryption as a means to enhance consumer data security at all points of a payments transaction.
"All players in the payments industry have a mutual stake in protecting consumer information," said Dodd Roberts, president and chief executive officer of the Merchant Advisory Group (MAG). "It is essential that industry leaders work together to eliminate all risk to personal information. A meeting like this is critical to creating the solutions needed." The MAG, also a member of ASC X9, is a nonprofit industry association that brings together all parties in the payments industry to collaborate on issues and ensure the voice of merchants is represented.
About Heartland Payment Systems
Heartland Payment Systems, Inc., a NYSE company trading under the symbol HPY, delivers credit/debit/prepaid card processing, payroll, check management and payments solutions to more than 250,000 business locations nationwide. Heartland is the founding supporter of The Merchant Bill of Rights, a public advocacy initiative that educates merchants about fair credit and debit card processing practices. For more information, please visit http://www.HeartlandPaymentSystems.com and http://www.MerchantBillOfRights.com.
About ASC X9
The Accredited Standards Committee X9, Inc, is the only industry-wide forum that brings together bankers, securities professionals, manufacturers, regulators, associations, consultants and others in the financial services arena to address technical issues, find the best solutions and codify them as nationally and internationally accepted standards. The American National Standards Institute (ANSI) officially accredited ASC X9 in 1984. In addition, ASC X9 is recognized as the official secretariat to the International Organization for Standardization (ISO) committee TC 68 on Banking and Financial Services.
About the Merchant Advisory Group
The Merchant Advisory Group is a 501(c)6 nonprofit industry association that brings together all parties in the payment industry to collaborate on issues that concern everyone, and ensure the merchant voice is heard on such issues. The MAG is a vital source for educational and networking opportunities, best-practice sharing and information on new technologies. The group is supported primarily by merchant members and industry stakeholders such as acquirers, issuers and vendors. For more information, please visit http://www.MerchantAdvisoryGroup.org.
Heartland Payment Systems, Inc.
Tel: +1 202-973-1335
ANSI X9 Financial Industry Standards (Key Management)
"Post-breach, Heartland Plans Aggressive Encryption Project. Heartland to Use End-To-End Encryption to Ward Off Cyber-Crooks." By Ellen Messmer. From Network World. "In the United States today there is no established standard for end-to-end encryption of payment-processing networks. But Heartland is hoping to rally the industry around one based on the Advanced Encryption Standard (AES) that it's proposing to the Accredited Standards Committee X9 (ASC X9) in early June ...."
"New Standard for Encrypting Card Data in the Works." By Jaikumar Vijayan. From Network World. "The need for such 'end-to-end' protection has become increasingly apparent within the payment card industry in the wake of the continuing breaches at companies such as Heartland and RBS WorldPay Inc., another payment processor that disclosed a system intrusion last December. But while proprietary tools are available from a few vendors for achieving that type of protection, there currently is no standard approach, said Sid Sidner, director of security engineering at ACI Worldwide Inc... ACI, which is a member of the ASC X9 group, wrote up a 'work request' in February 2009 suggesting the development of a standard. According to Sidner, the effort will focus on creating a methodology for formatting "cryptographic payloads" to carry sensitive data over transaction networks. The goal, he said, is to create something akin to the level of standardization that exists now for protecting PIN data. Although numerous messaging formats are used to transport cardholder data over a transaction network, the cryptographic blobs that protect the PIN data itself in each message looks exactly the same..."
"Organization Aims To Develop Encryption Standard for Card Data." By Marcia Savage. From SearchFinancialSecurity.com. "... The goal is to develop an open standard for encrypting cardholder data at the merchant point-of-sale terminal and keeping it encrypted as it's transferred to the processing system of the merchant's acquiring bank, said Sid Sidner, director of security engineering at ACI Worldwide Inc., a New York-based provider of electronic payments software. There are proprietary solutions for providing that encryption but no standards, said Sidner, who is leading the initiative. 'The project addresses an area not covered by the PCI Data Security Standard, which has encryption requirements for stored data and for data transmitted over public networks... If we could find a way to encrypt the data at the payment terminal and keep it encrypted back to the acquiring bank, then we've come up with a way to be even stronger than what the PCI DSS requires; the data would be protected on merchant internal networks'..."
"Participation Will Be Key to Heartland's Encryption Effort." By Avivah Litan (Vice President and Distinguished Analyst in Gartner Research). Gartner Research Report, Reference ID Number: G00168150. Report also in PDF format. "... End-to-end encryption would be most effective if data was encrypted from the time a card was swiped at a POS until it reached the card issuer, similar to the way personal identification numbers (PINs) currently are encrypted according to card brand standards. However, Heartland is limited by the scope of systems it manages and from which it accepts data; it can only seek to influence the card industry to carry end-to-end encryption beyond the processor stage, through the card networks and onto the card issuers. The proposal's success also depends on merchants' willingness to invest in terminal upgrades that support card data encryption. If Heartland implements its proposed project more securely than it has managed in the past with its network, it will make payment card processing more secure for merchants, especially if they don't manage the encryption keys and leave key management to their processor. Nevertheless, the process will always include vulnerabilities at the point where data is encrypted and decrypted. These vulnerabilities can be limited by using sound key management practices and enforcing extra security measures..." Background: "Heartland Case Shows Stronger Card Security Is Still Needed."
"Data-sniffing Attack Costs Heartland $12.6m. Credit Card Processor Promises End-To-End Encryption." By Dan Goodin. From The Register. May 07, 2009. Heartland plans to roll out a new security system designed to encrypt payment card transactions from their point of origin with merchants to their final destination with the card issuers... The mechanism would go well beyond so-called PCI DSS, or payment card industry data security standards, which are mandated on merchants, processors, and banks that work with credit and debit cards..."
Heartland Podcast #1: Technical Details. By Bob Carr, Chairman and Chief Executive Officer, Heartland Payment Systems.
Heartland Podcast #2: Practical Industry Considerations. By Bob Carr, Chairman and Chief Executive Officer, Heartland Payment Systems.
"Is Heartland's End-to-End Move The First Shot In A Processor Lock-In War?" By Evan Schuman. May 13, 2009. "Heartland's approach is based on the licensed technology from several vendors — including Voltage Security — along with a healthy dose of code written by salaried Heartland programmers..."
"Heartland's New Encryption Strategy: Let Them In, But Limit Them." By Evan Schuman. "Heartland plans to start rollout a new security approach to its retailer customers. It's based on attaching a Tamper-Resistant Security Module (TRSM), which is a physical piece of hardware, within centimeters or less to the magnetic stripe itself; the connection is shielded with the TRSM..."
"E2E Encryption Prescription Is Bad Medicine." By Kevin M. Nixon. From Information Security Resources. "Encrypted traffic cannot be analyzed by a firewall unless either decrypted permissively or decrypted forcibly. The same traffic cannot be cleansed of viruses, or worm signatures, or attack characteristics (IIS URL length overflow) until the traffic is decrypted on the host. Clearly, traffic should never hit a multi-purpose operating system until after all of this happens. End-to-end encryption is what we want, but not at the price we'd have to pay. Protection of data during creation, transmission, processing and storage or End-to-End-Defense-in-Depth is what we really want, as it ensures the defense in depth best practices are not lost..."
Prepared by Robin Cover for The XML Cover Pages archive.