Appeared on ComputerWorld, April 30, 2009
Thursday, April 30, 2009
ASC X9 standards body launching encryption initiative with breached payment processor Heartland Payment Systems playing a big role
The same organization that led the development of security standards for payment-card magnetic stripe data and PIN-based transactions will soon begin work on a new specification for encrypting cardholder data while it is in transit between systems during the transaction process.
And among the companies in the forefront of the effort is Heartland Payment Systems Inc., the Princeton, N.J.-based payment processing firm that announced in January what some analysts think could end up being the largest data breach involving credit-card information thus far.
The Accredited Standards Committee X9, which is accredited by the American National Standards Institute, is set to launch an initiative formally known as the Sensitive Card Data Protection Between Device and Acquiring System program. ASC X9 develops and maintains numerous standards for the financial services industry in the U.S., and participants said this week that the goal of the new effort is to develop a data encryption standard to protect information from the moment a card is swiped at a payment register to the end of the transaction chain at a so-called acquiring bank.
The need for such "end-to-end" protection has become increasingly apparent within the payment card industry in the wake of the continuing breaches at companies such as Heartland and RBS WorldPay Inc., another payment processor that disclosed a system intrusion last December. But while proprietary tools are available from a few vendors for achieving that type of protection, there currently is no standard approach, said Sid Sidner, director of security engineering at ACI Worldwide Inc., a vendor of payment processing software in New York.
As a result, ACI, which is a member of the ASC X9 group, wrote up a "work request" in February suggesting the development of a standard. According to Sidner, the effort will focus on the formatting of "cryptographic payloads" to carry sensitive data over transaction networks. The goal, he said, is to create something akin to the level of standardization that exists now for protecting PIN data. Although numerous messaging formats are used to transport cardholder data over a transaction network, the cryptographic blobs that protect the PIN data itself in each message looks exactly the same.
A similar encryption standard would require few or even no tweaks to the existing payment systems infrastructure, claimed Sidner, who is chairing the working group set up to carry out the project. As part of the standards effort, ASC X9 may also look at the viability of using the same security-key management mechanism that is currently used for PIN security, he said.
Heartland, which launched an internal end-to-end encryption initiative soon after the breach there was discovered, is likely to play a significant role in pushing the proposed standard along. For instance, the company will host "a preliminary planning workshop" in Plano, Texas, next Thursday to discuss the standard and what needs to go into it, Heartland spokesman Jason Maloni said.
He added that the ideas generated at the meeting, which is open to anyone in the payment industry who wants to participate, will be presented at the ASC X9 working group's initial standards development meeting in June. "We expect it to be a very free and fair discussion," Maloni said. "It will be a nice exchange of ideas prior to the [development] meeting."
A statement released by Heartland on Wednesday called the preliminary meeting an important step in "expediting the development" of the standard. "Exchanging ideas is critical to the creation of a robust and public standard that protects the security of cardholder data," Bob Carr, Heartland's chairman and CEO, said as part of the statement. Also voicing support for the initiative in the statement was Dodd Roberts, president and CEO of the Merchant Advisory Group, an association that represents large merchants within the payment industry.
The active participation of such groups could accelerate the development of the standard, Sidner said. He didn't offer an estimate of when the standard might be finalized, but he said that companies such as Heartland have "a keen interest in doing something sooner" because of the "clear and pressing danger" facing cardholder data because of the activities of cybercrooks.
The standards effort can "move as fast as the industry wants to move it," said Cindy Fuller, ASC X9's executive director. "There seems to be an urgency and a need, and Heartland certainly has stepped up to the plate to participate." She added that the project is scheduled to be assigned for oversight purposes to the same committee within ASC X9 that is responsible for cardholder authentication standards.
Once the standard is completed within ASC X9, it will have to be approved by the Payment Card Industry Security Standards Council before it can actually be used by companies, Sidner said. The council is responsible for administering the Payment Card Industry Data Security Standard, a set of 12 security controls that were created by the major credit card companies and have to be implemented by all organizations that accept payment card transactions.
"This doesn't have the blessing of the PCI council yet, but it will need to get that some day," Sidner said.