SPVA releases requirements for the post manufacturing stage of payment devices

It is always nice to hear of organizations that are actively trying to protect our financial security which is why SPVA‘s (Secure POS Vendor Alliance) announcement of requirements for the post manufacturing stage of payment devices warms our cold, cold hearts. Of course, we are not the only ones who benefit from these new requirements as it also protects the financial industry. More security is better and to know with all the marketing hype of NFC mobile wallets that Verifone & co are actively looking to protect our security, it can only be positive thing.

What’s considered in the requirements for the post manufacturing stage of payment devices

The new requirements for the post manufacturing stage of payment devices play out more like a “best practices” guideline. Various groups will be required by members of the SPVA to ensure no contamination of payment devices happens between the factory gate and your hand. So, your brand new NFC smartphone wouldn’t have been tampered with. The same will go for NFC POS terminals and other equipment associated with securing payments.

To meet the new requirements for the post manufacturing stage of payment devices, companies will have to:

• Secure storage and transport: The payment device must be stored and transported in a manner that meets requirements for security and accountability.
• Transfer and accountability: Documented processes must be in place to ensure the accountability for the device is properly transferred from the manufacturer to the entity performing the initial key load.
• Authentication: The payment device must have a secure mechanism authenticating the identity of the device.
• Key management: Documented processes must be in place to identify and respond to any security incidents.
• Incident response: Documented processes must be in place to identify and respond to any security incidents.
• Outsourcing: When any process of the post-manufacturing stage is outsourced, the outsourcing organization must ensure that the vendor meets the security requirements of that process.
• Auditing: Audits must be performed at planned intervals to ensure that the security requirements are met.

Current standards do not protect consumers or institutions, which is why SPVA has released its requirements for the post manufacturing stage of payment devices

When you get a new credit card in the mail it generally comes in an unmarked envelope. It also has a security inner pattern so that you cannot see the contents, and the pin is sent along later. When you buy a new NFC smartphone, however, it is kept in the retail store. It can be opened by any member of staff and there are multiple points at which exposure can occur between its place of manufacture and you taking it home. This leaves the possibility of fraudulent tampering, in order to get your card details. If the data is fraudulently used, both you and the card issuer can face losses.

Quotes referencing the new requirements for the post manufacturing stage of payment devices:

It is generally agreed upon that prevention of risk is better than cure and SPVA is looking at prevention as its focus as are evident in the statements given by the organization.

“The current standards in the post manufacturing stage cannot provide complete authenticity and we feel that we have identified a list of solutions to improve security,” said Roberto Fananas, Hypercom security manager, speaking about the new requirements for the post manufacturing stage of payment devices.“The SPVA’s guidelines for the post manufacturing stage ensure that key data and materials used in the key loading process meet specific security requirements, thus eliminating the risk of fraudulent behavior.”

Steven Hughes, SPVA president said the requirements for the post manufacturing stage of payment devices were needed because “The recommended guidelines by our Lifestyle of a Secure Payment Device Technical Working Group are designed to meet the security objectives of confidentiality, integrity, accountability, authenticity and non-repudiation,” and added that, “The ultimate goal is to protect cardholder information and defend merchants and acquirers against security breaches.”

SVPA requirements for the post manufacturing stage of payment devices

SPVA is made up of Atos Worldline, Heartland Payment Systems, Chase Paymentech, Radiant Systems, Inc., Voltage Security and many others and was founded by Hypercom, Ingenico S.A. & VeriFone. More details about the requirements for the post manufacturing stage of payment devices can be found at the organization’s website, hit up the source link below.