New standard for encrypting card data in the works; backers include Heartland

Computerworld - The same organization that led the development of security standards for payment-card magnetic stripe data and PIN-based transactions will soon begin work on a new specification for encrypting cardholder data while it is in transit between systems during the transaction process.

And among the companies in the forefront of the effort is Heartland Payment Systems Inc., the Princeton, N.J.-based payment processing firm that announced in January what some analysts think could end up being the largest data breach involving credit-card information thus far.

The Accredited Standards Committee X9, which is accredited by the American National Standards Institute, is set to launch an initiative formally known as the Sensitive Card Data Protection Between Device and Acquiring System program. ASC X9 develops and maintains numerous standards for the financial services industry in the U.S., and participants said this week that the goal of the new effort is to develop a data encryption standard to protect information from the moment a card is swiped at a payment register to the end of the transaction chain at a so-called acquiring bank.

The need for such "end-to-end" protection has become increasingly apparent within the payment card industry in the wake of the continuing breaches at companies such as Heartland and RBS WorldPay Inc., another payment processor that disclosed a system intrusion last December. But while proprietary tools are available from a few vendors for achieving that type of protection, there currently is no standard approach, said Sid Sidner, director of security engineering at ACI Worldwide Inc., a vendor of payment processing software in New York.

As a result, ACI, which is a member of the ASC X9 group, wrote up a "work request" in February suggesting the development of a standard. According to Sidner, the effort will focus on the formatting of "cryptographic payloads" to carry sensitive data over transaction networks. The goal, he said, is to create something akin to the level of standardization that exists now for protecting PIN data. Although numerous messaging formats are used to transport cardholder data over a transaction network, the cryptographic blobs that protect the PIN data itself in each message looks exactly the same.

A similar encryption standard would require few or even no tweaks to the existing payment systems infrastructure, claimed Sidner, who is chairing the working group set up to carry out the project. As part of the standards effort, ASC X9 may also look at the viability of using the same security-key management mechanism that is currently used for PIN security, he said.

Heartland, which launched an internal end-to-end encryption initiative soon after the breach there was discovered, is likely to play a significant role in pushing the proposed standard along. For instance, the company will host "a preliminary planning workshop" in Plano, Texas, next Thursday to discuss the standard and what needs to go into it, Heartland spokesman Jason Maloni said.