Payment Security
CategoryCyber Security Standards
Payment industry standards and practices were developed to encourage and enhance payment data protection, and facilitate the broad adoption of consistent security measures. They establish a baseline of technical and operational criteria for safe payment transactions.
Standards Overview
Limited Access to Payment Credentials
In order to reduce financial fraud and alleviate the risk of sensitive information breach, payment industry has come up with security requirements for all business entities that store, process and transmit cardholder data or sensitive authentication data related to payment acquisition, processing, clearance and reconciliation.
Merchant-based vulnerabilities may appear almost anywhere in the card-processing ecosystem: point-of-sale (POS) terminals, mobile devices, personal computers or servers, wireless hotspots, e-commerce applications and paper-based storage systems. Vulnerabilities may also extend to systems operated by service providers and acquirers, which are the financial institutions that initiate and maintain the relationships with merchants.
Payment industry standards generally apply to all entities involved in the payment lifecycle: merchants, processors, acquirers, issuers and service providers. A separate set of standards is focused on characteristics and management of devices protecting payers' personal identification numbers (PIN) and transmitting transactions to electronic payment gateways, and applies to POS terminal and payment card manufacturers. The formalized security requirements help alleviate the involved party vulnerabilities and protect consumers' payment credentials.
The following publications describe payment industry mechanisms and required security measures:
- ISO/IEC 7816-1 — Integrated Circuit Cards - Physical Characteristics
- ISO/IEC 7816-2 — Integrated Circuit Cards - Dimensions and Location of the Contacts
- ISO/IEC 7816-3 — Integrated Circuit Cards - Electrical Interface and Transmission Protocols
- ISO/IEC 7816-4 — Integrated Circuit Cards - Organization, Security and Commands for Interchange
- ISO/IEC 7816-5 — Integrated Circuit Cards - Registration of Application Providers
- ISO/IEC 7816-6 — Integrated Circuit Cards - Interindustry Data Elements for Interchange
- ISO/IEC 7816-7 — Integrated Circuit Cards - Commands for Structured Card Query Language (SCQL)
- ISO/IEC 7816-8 — Integrated Circuit Cards - Commands and Mechanisms for Security Operations
- ISO/IEC 7816-9 — Integrated Circuit Cards - Commands for Card Management
- ISO/IEC 7816-10 — Integrated Circuit Cards - Electronic Signals and Answer to Reset
- ISO/IEC 7816-11 — Integrated Circuit Cards - Personal Verification through Biometric Methods
- ISO/IEC 7816-12 — Integrated Circuit Cards - USB Electrical Interface and Operating Procedures
- ISO/IEC 7816-13 — Integrated Circuit Cards - Commands for Application Management
- ISO/IEC 7816-15 — Integrated Circuit Cards - Cryptographic Information Application
- ISO/IEC 14443-1 — Contactless Proximity Objects - Physical Characteristics
- ISO/IEC 14443-2 — Contactless Proximity Objects - Radio Frequency Power and Signal Interface
- ISO/IEC 14443-3 — Contactless Proximity Objects - Initialization and Anticollision
- ISO/IEC 14443-4 — Contactless Proximity Objects - Transmission Protocol
- EMV Contact: Integrated Circuit Card (ICC) to Terminal Interface
- EMV Contact: Security and Key Management
- EMV Contact: Application Specification
- EMV Contact: Cardholder, Attendant and Acquirer Interface
- EMV Contact: Common Payment Application (CPA) Specification
- EMV Contact: Card Personalization Specification (CPS)
- EMV Contactless: Architecture and General Requirements
- EMV Contactless: Entry Point
- EMV Contactless: Kernel 1 Specification
- EMV Contactless: Kernel 2 Specification
- EMV Contactless: Kernel 3 Specification
- EMV Contactless: Kernel 4 Specification
- EMV Contactless: Kernel 5 Specification
- EMV Contactless: Kernel 6 Specification
- EMV Contactless: Kernel 7 Specification
- EMV Contactless: Interface Specification
- EMV Contactless: PPSE and Application Management for Secure Elements
payment
Payment industry standards suggest common-sense steps that mirror IT security best practices: identify the location of sensitive information, remove the unnecessary records, remediate the identified vulnerabilities, conduct an assessment and produce a formal report on compliance (ROC).
Payment industry data security requirements apply to all system components included in, or connected to the payment processing environment, and concern people, processes and technologies that store, process or transmit sensitive payment credentials.
Device and software interface standards describe the minimum functionality required of integrated circuit cards (ICC), payment terminals and applications to ensure their correct operation and interoperability in the international interchange environment.
Payment industry governing bodies manage programs that facilitate the assessment of compliance, and approve security assessors and scanning vendors that can validate adherence to the security requirements and attest party compliance.
Compensating controls may be considered when a party cannot meet a requirement explicitly as stated, but has sufficiently mitigated the risk associated with it.