Standards are an interesting phenomenon, especially in the information technology field. On the one hand, they create bureaucracy, kill creativity, and scare away many talented people. On the other hand, standards save resources, provide reliability, and allow totally different people and organizations to speak to each other using the same language.
In the payment card industry (PCI), this phenomenon is even more interesting. There are established security standards without underlying technology standards. Simply put, most security standards for payment applications tell you what to protect without explaining how to do it. This in no way means that the technology does not exist. It’s just not defined and not standardized enough.
PCI is a great invention. It helps to make payment systems much more secure. The problem with PCI standards is that they came out too late, when the (insecure) technologies around payment card processing had already been established and widely deployed. Any deviation from current technologies (which is necessary in order to provide real security) would require rebuilding the entire system from scratch, which would cost millions of dollars if implemented worldwide.
As a result, instead of offering a new secure technology, the main method of PCI security standards is compensating for the vulnerability (by design) of electronic payment systems by building up several extra layers of security controls around existing technologies. This makes the end users (payment processors, service providers, hardware/software vendors, and finally merchants who often have no clue about security) responsible for their implementation. Therefore, the payment systems are often insecure even if they are PCI compliant.
PCI standards cover several different aspects of the electronic payment life cycle.
- PCI Data Security Standard (PCI DSS) : Tells merchants (such as retailers) and service providers (such as payment processors and gateways) how to protect sensitive cardholder information.
- Payment Application Data Security Standard (PA-DSS) : Tells the payment application developers how they should design their products to be compliant with PCI DSS.
- PIN Transaction Security (PTS) : Takes care of hardware devices, such as POI and HSM (hardware security modules), and their cryptographic modules and firmware.
- Point-to-Point Encryption (P2PE) : A point-to-point encryption (P2PE) solution is provided by a third party solution provider, and is a combination of secure devices, applications and processes that encrypt data from the point of interaction (for example, at the point of swipe or dip) until the data reaches the solution provider’s secure encryption environment.
Source: Hacking Point of Sale