PCI Council wants upgradeable credit card readers … next year • The Register
The Payment Card Industry Security Standards Council (PCI Council) has floated a new standard it hopes will reduce credit card fraud that starts at the point of sale, in part by allowing easier upgrades.
The new version 5.0 of the PCI PIN Transaction Security (PTS) Point-of-Interaction (POI) Modular Security Requirements emerged late last week. The most notable new bits of the proposed standard (PDF) are:
- A new control that means point of sale card readers “… must support firmware updates. The device must cryptographically authenticate the firmware and if the authenticity is not confirmed, the firmware update is rejected and deleted.”
- Tamper-proofing requirements so that an attack involving “drills, lasers, chemical solvents, opening covers, splitting the casing (seams), and using ventilation openings” results in devices becoming inoperable and deleting all data;
- Requirement that devices be verifiably immune to leaking keys if probed using side-channel methods such as monitoring for electromagnetic emanations;
The changes have been made in response to the prevalence of card skimming attacks and as recognition that retailers need the ability to respond quickly as threats emerge. Hard-to-upgrade card-reading kit retards security efforts as retailers resist expensive upgrades when they address obscure attacks. Making card readers upgradeable should mean better point of sale security. That the the United States is now adopting the chip-and-pin (EMV) wireless payment technology so prevalent elsewhere is also cited as a reason for the new round of changes.
But even pre-EMV technologies need better wireless security: Samsung’s Magnetic Secure Transmission (MST) technology lets phones talk to magnetic stripe readers. Even those small exchanges of electromagnetic energy are potentially sniffable, with keys a bigger prize than individual cards.
The new standard comes into force in September 2017, when the current version 4.1 will fade away.
[They are wrong about the US adopting Chip-and-Pin technology. In the US it is Chip-and-signature. US banks did not want to have to deal with people forgetting their pins which could require issuing a new card. It was a cost benefit analysis on their part. It does making using US cards in other parts of the world difficult.]