- Posted by: mkt
- Category: Cryptographic
By Maurício Okuyama, Pre-Sales Manager at Kryptus
PCI (Payment Card Industry) or PCI SSC (PCI Security Standards Council) is a global organization that unites stakeholders in the payments industry to develop and promote the adoption of high standards and information security features for the payments industry. To ensure such adoption occurs consistently, PCI maintains a foundation of standards and requirements, including the PCI PIN Security, which is periodically revised and updated, covering a diversity of industry segments: payment service providers, software solutions providers, hardware solutions providers, etc.
For illustration, all companies that, in some way, operate within the service or technological resource supply chain for card payments with the “classic flags” (American Express, Discover, Mastercard, Visa) follow some specific PCI standards. There are requirements for companies that process payments through the payment terminal (POS), for datacenters or host companies of software or payments APIs, and even for companies that produce the cryptographic hardware used in the industry.
Why is PCI important?
Card networks possess their technical-operational requirements, which need to be unfolded to the entities that provide products and services to the payment industry. In certain aspects, related to security or other areas, the demands and requirements of one card network differ from another. Thus, a product and/or service provider that wants to cover all networks with its portfolio need to have clear requirements that, if dully complied, will allow the provider to offer all the commonalities as well as the specificities of each card network.
Considering the card associations’ needs, interests and requirements, PCI works as an intermediary between them and other stakeholders in the payments industry, establishing a common base of standards to be complied by both products and services providers in the sector. Therefore, by uniting the most diverse and relevant stakeholders of the payments industry and maintaining the security standards, PCI contributes to the sustainable and global development of the sector.
In the end, the winners are the consumers and society, which benefit from a payment system that is universal, reliable, and, through technological developments linked to security requirements, increasingly convenient.
What is the benefit of the standards required by PCI for the payments market and end-user?
PCI provides a common basis of security standards and requirements to be followed by various stakeholders in the payments industry. If this unified basis did not exist, probably we would not be able to enjoy the ease of making payments with our cards almost anywhere in the world or on any website. Therefore, PCI’s activity is essential for the market and for the end-user, who benefits from a payment system that is universal, reliable, and, through technological developments linked to security requirements, increasingly convenient.
About PCI PIN Security
PCI PIN Security is one of the PCI standards and must be adopted by all companies that manage the process, and transmit personal identification numbers (PIN) during the processing of online and offline payment card transactions at ATMs and point of sale (PoS) terminals.
The requirements set by the PCI PIN Security standard define that all PINs entered by the cardholder must be processed on equipment that complies with the requirements for secure cryptographic devices (SCD) as, for example, HSM (Hardware Security Module). PINs should never be exposed to “plain text” outside of a cryptographic module.
FIPS 140-2 Certificate and PCI
The Federal Information Processing Standard (FIPS) publication 140-2 is a standard that defines minimum security requirements for cryptographic security modules. Having a FIPS 140-2 certification means that your equipment has been validated by the US National Institute of Standards and Technology (NIST) and the Canadian Cybersecurity Centre (CCCS). In short, the standard ensures that a product uses robust security practices, such as physical and logical protection methods, as well as approved cryptographic mechanisms at one of the four FIPS 140-2 security levels.
For a financial organization to comply with PCI PIN Security standards and ensure a certification, it is necessary that the HSMs (Hardware Security Modules), or cryptographic security modules, be used for storing cryptographic keys in payment transactions, attend the requirements mandated by FIPS 140-2 level 3 certification. Two examples of companies that obtained PCI PIN Security certification with the implementation of Kryptus HSMs, which are FIPS 140-2 level 3 certified, are Perto S.A and Seven Group. Both needed to be PCI compliant and guarantee the robustness of their security infrastructure behind financial transactions.