February 28,2009
-
PCI Security Risks Reviewed, Pt.4
PCI hardware components.The next two standards involve PCI hardware components. The first of these standards deals with ‘unattended hardware'. This covers things like ATMs, gas pump debit and credit card ‘stations' and any other type of terminal the public has access to without ‘guardian presence'. ‘Attended terminals' have already been attended to. These are things like POS (point of sale) credit card terminals. Now, the unattended terminals must guarantee that, if stolen or tampered with, they will yield no sensitive debit or credit card data to the thief.
The second of these hardware standards deals with a subcomponent called ‘host security modules'. These are part of the larger system called the ‘terminal'. This is the component that takes in the most secure debit and credit card data like PINs and Billing Zipcodes. One common example is the familiar keypad. Like the keyboard of a computer, this is one of the most sensitive areas and hardest to secure. They must be protected from Credit card breaches as much as is practical. Encryption must begin with the entry and not be accessible in an unencrypted form from that point on.
As far as PCI Compliance certification, the Council has set up several laboratory-condition sites throughout the world. These facilities will perform the extensive evaluations and administer appropriate debit and credit card security certifications.
As this whole scheme is a new and untested approach in credit card security, it is considered to be only the second level of many to come. Already, the PCI Compliance Advisory Board has scheduled a commission study to look into further changes and recommendations. They're anticipating that experience will yield ideas for even greater protection and they plan for another major revision in late 2010.
This ‘next generation' will attempt the final resolve of complete ‘end-to-end' protection, sealing up all possible leaks. This standard will be so high that, many of the lower-level entities like ‘Mom & Pop' businesses will be exempt.