SRED and Open Protocol: a Possible Cybersecurity Career Path?

Dennis Steenbergen
As a Qualified Security Assessor (QSA) evaluating merchants in retail stores, I have seen firsthand how important it is to protect customers' personal and financial information during the payment process. One of the key ways this is achieved is through the use of a payment device, also known as a Point of Interaction (POI). These devices are fascinating and operate as if they were magic.  I'm continually impressed with each personal purchase at just how fast the authorization process takes.  If you are interested in Cryptography, there exist career paths as a Qualified PIN Assessor or QPA.

Although it's difficult and varied estimating QPA salaries, according to ZipRecruiter, Security Assessor salaries can range from $100,000 in the 25th percentile (salaries below this are outliers) while $137,500 is the 75th percentile.

Let's look at some of the information QPA's need to understand to see if you're interested.
For starters, the POI is responsible for encrypting the customer's Personal Identification Number (PIN) and Primary Account Number (PAN) during the payment authorization process. This is done using advanced encryption algorithms that scramble the customer's information into an unreadable code. This code is then transmitted to the payment processor, which uses specialized software to verify the transaction and authorize the payment.

There are two types of encryption modules that can be used in a POI: SRED and Open protocol. SRED stands for Secure Reading and Exchange of Data and is a closed, proprietary encryption module. This means that it is developed and maintained by a specific company and is not publicly available. SRED modules are typically used in devices that require a high level of security, such as ATMs or point-of-sale (POS) terminals in high-risk environments.

These modules can be both hardware and software components.

In the case of hardware encryption modules, SRED and Open protocol modules are physical devices that are built into the POI or payment device. These devices are designed to encrypt the customer's Personal Identification Number (PIN) and Primary Account Number (PAN) using advanced encryption algorithms. The encryption process takes place within the hardware module, ensuring that the customer's information is protected during the payment authorization process.

On the other hand, software encryption modules are typically installed onto the payment device as a program or application. These modules use the device's processing power to encrypt the customer's PIN and PAN during the payment authorization process. While software encryption modules are not physically built into the device, they can still provide a high level of security for customer information.

It's worth noting that the choice between hardware and software encryption modules depends on the specific needs of the payment device. Hardware encryption modules can provide a higher level of security and are often used in devices that require a high level of protection, such as ATMs or point-of-sale (POS) terminals in high-risk environments. Software encryption modules, on the other hand, can be more flexible and adaptable to different types of payment devices.

I had the privilege to shadow experienced Qualified PIN Assessors (QPA) do their thing. They have tools to plug into POI devices to test the hardware and software modules. I was surprised to learn you can even scan the devices with NMAP to look for open ports and in one case, port 69 was open!  QPA's ensure that merchants are using payment devices that meet the necessary security standards and requirements and produce a report on compliance when finished. The process is interesting to watch.

The use of a payment device, or Point of Interaction, is essential for protecting customer information during the payment authorization process and there is more going on under the hood than meets the eye. If you find encryption interesting as I do, the Security Standards Council encourages anyone to attend their Qualified PIN Assessor (QPA) Qualification training. Check out the SSC's website for more information.
Created with