mobile payment with a credit card

Understanding Payments Compliance: FIPS and PCI Standards

The payment industry is rapidly evolving, driven by technological advancements and a surge in digital transactions. Latest regulatory frameworks, such as the Third Payment Services Directive (PSD3), mandate innovations like open banking and the integration of banking and non-banking systems to enhance customer experience.  

These advancements, while beneficial, have led to an exponential increase in the volume of sensitive financial data transmitted across networks. As a result, there is an urgent need for security techniques to protect critical data, such as customers' PINs and authenticate payment cards against cyber threats and financial losses.

In this article, we will explore two key standards—FIPS and PCI—that are essential for payments compliance and discuss their relevance within the industry.

What is Payments Compliance?

Payments compliance refers to adhering to laws, regulations, and standards governing financial transactions and payment processing. It ensures that these transactions are conducted securely, transparently, and in accordance with applicable rules and regulations to prevent fraud, money laundering, and other financial crimes.

Achieving compliance involves several key steps. One of them is implementing strong security measures, and we’re here to assist you with that.

Payments Compliance Mandates Robust Security

To protect PINs and payment cards, Hardware Security Modules (HSMs) are considered the optimal solution due to their tamper-resistant and high-security encryption. These HSMs must either be Payment Card Industry (PCI) approved or certified under Federal Information Processing Standards (FIPS) 140-2 Level 3 or higher.

FIPS Compliance

Established in the 20th century, FIPS has long dominated the security framework, focusing on cryptographic modules and their usage in environments like healthcare, government, and enterprises that handle sensitive data. FIPS compliance ensures that cryptographic practices such as encryption algorithms, digital signatures, random number generation, etc. within these environments maintain high levels of security. The key cryptographic algorithms emphasized by FIPS included TDES, AES, SHA, and RSA. These algorithms serve various purposes, for example:

  • TDES is present in almost all legacy systems for long time mainly in financial services and ATMs that applies DES algorithms three times to each data
  • AES is the most preferred encryption standard for cardholder data encryption and other critical data
  • SHA is used for generating digital signatures, creating cryptographic keys, etc.
  • RSA mainly focuses on secure data transmission

However, over time, FIPS has emphasized algorithms like AES, RSA, and SHA due to their robust security capabilities, sidelining TDES. These FIPS-recommended algorithms are widely accepted for general-purpose data protection across industries.

PCI Compliance

Introduced in the 21st century by major card companies, the Payment Card Industry Data Security Standard (PCI DSS) aims to enhance the security of card transactions and to protect cardholder data such as PINs. PCI supports cryptographic algorithms like AES, RSA, and TDES to secure sensitive cardholder data during transmission and storage.  

To summarize, FIPS laid the groundwork for cryptographic standards, while PCI built on these principles, adapting them to address the unique challenges of the payment industry.

In the following paragraph, we will discuss the two algorithms, TDES and AES, and their impact on the payment industry.

Payment Industry - Specific Algorithms

As mentioned earlier, FIPS has sidelined TDES.  

However, TDES remains entrenched in the payment industry because PCI historically required or recommended its use to protect sensitive payment data. In addition, TDES is preferred due to its ease of implementation in hardware and software and its support for various cryptographic libraries and protocols associated with payment security.  

Why PCI is Preferred Over FIPS?

Achieving FIPS certification presents significant challenges, especially given the limitations of absence of TDES. FIPS is stringent and does not effectively accommodate TDES, making compliance difficult as the payment industry continues to rely on this algorithm.

Given these challenges, PCI standards are more frequently chosen in the payment industry. PCI compliance provides a practical and effective framework for securing payment systems in an environment still dominated by TDES. By prioritizing PCI standards, the industry can ensure robust security measures while gradually transitioning to more advanced algorithms like AES. Considering the dominance of TDES in the payment industry, PCI compliance will be present for the foreseeable future.  

The move from TDES to AES is not just a technical upgrade but a fundamental shift in security protocols. This transition is a long process due to TDES's deeply embedded nature in payment systems. The gradual adoption of AES highlights the need for a strategic approach that balances security needs with operational realities. Given this context, the shift from TDES to AES will not happen suddenly, and the payment industry will continue to rely on TDES for robust security measures in the foreseeable future.

Prioritizing PCI Compliance today – A Pragmatic Approach

The payment industry faces a dual challenge: maintaining security with TDES while transitioning to AES. Given the slow pace of change and the inherent difficulties in achieving FIPS certification due to the lack of TDES, prioritizing PCI compliance is a pragmatic approach. PCI Standards, including TDES algorithms, offer a unique compliance regulation that addresses the security needs of the payment industry. Thus, it makes them an essential focus as the industry navigates this transition period.

Starting with Atalla Payment HSM

Utimaco’s Atalla AT1000 Payment HSM is certified for the most demanding application profiles. It is PCI PTS HSM v3 certified and compliant with FIPS 140-2 Level 3 and FIPS 140-2 Level 4 (Physical design), allowing you to select the best HSM in the market.  

To learn more about Atalla HSMs, visit our product page or contact our experts to discuss the details. 

Downloads

Downloads

How can we help you?

Talk to one of our specialists and find out how Utimaco can support you today.
You have selected two different types of downloads, so you need to submit different forms which you can select via the two tabs.

Your download request(s):

    By submitting below form you will receive links for your selected downloads.

    Your download request(s):

      For this type of documents, your e-mail address needs to be verified. You will receive the links for your selected downloads via e-mail after submitting below form.

      About Utimaco's Downloads

      Visit our Downloads section and select from resources such as brochures, data sheets, white papers and much more. You can view and save almost all of them directly (by clicking the download button).

      For some documents, your e-mail address needs to be verified. The button contains an e-mail icon.

      Download via e-mail

       

      A click on such a button opens an online form which we kindly ask you to fill and submit. You can collect several downloads of this type and receive the links via e-mail by simply submitting one form for all of them. Your current collection is empty.