Safe Communication: SRED & Open Protocols

Security of payment card data is more important today than ever before, and increasingly the compromise of such data is occurring through remote interception or poorly implemented IP based communication. To assist in preventing such attacks, the Payment Card Industry has introduced the SRED and Open Protocols sections of the PCI PTS requirements.

SRED (Secure Reading and Exchange of Data), is Module 4 of the PCI PTS standard. It addresses the implementation and key management requirements to allow for secure encryption of cardholder data at the point of customer interaction (POI). Such encryption of card data from the POI is often called ‘End to End Encryption’ (E2EE) or ‘Point to Point Encryption’ (P2PE).

The Open Protocols requirements are Module 3 of the PCI PTS requirements, and apply to devices that communicate card payment information across an IP connection. This module addresses the security of the underlying IP protocol implementation, and the ways in which secure applications can be developed on this platform.

Witham Laboratories assists clients in understanding the impact these PTS modules have on their products. In providing guidance, we are able to help clients ensure the products they are designing meet the PTS requirements.

As an accredited Qualified Security Assessor (QSA) and accredited PCI PED assessor, we can also provide information on how these modules of the PCI PTS standard relate to other PCI requirements, such as PCI DSS, PA-DSS, and other modules of the PCI PTS standard. This is a complex area of information security, and our clients are always relieved to have the resource of our specialist knowledge available to them.

The testing process

An evaluation of the Open Protocols module is similar to a penetration test that is performed on POS devices. It is conducted to determine any weaknesses in the services and protocols that the IP or wireless connection provides. The methods used to secure and authenticate the communications channel are also assessed.

Testing against the SRED requirements requires the examination of the cryptography and key management methods implemented, as well as physical and logical examination of the security of the card acceptance device.