For starters, the POI is responsible for encrypting the customer's Personal Identification Number (PIN) and Primary Account Number (PAN) during the payment authorization process. This is done using advanced encryption algorithms that scramble the customer's information into an unreadable code. This code is then transmitted to the payment processor, which uses specialized software to verify the transaction and authorize the payment.
There are two types of encryption modules that can be used in a POI: SRED and Open protocol. SRED stands for Secure Reading and Exchange of Data and is a closed, proprietary encryption module. This means that it is developed and maintained by a specific company and is not publicly available. SRED modules are typically used in devices that require a high level of security, such as ATMs or point-of-sale (POS) terminals in high-risk environments.
In the case of hardware encryption modules, SRED and Open protocol modules are physical devices that are built into the POI or payment device. These devices are designed to encrypt the customer's Personal Identification Number (PIN) and Primary Account Number (PAN) using advanced encryption algorithms. The encryption process takes place within the hardware module, ensuring that the customer's information is protected during the payment authorization process.
On the other hand, software encryption modules are typically installed onto the payment device as a program or application. These modules use the device's processing power to encrypt the customer's PIN and PAN during the payment authorization process. While software encryption modules are not physically built into the device, they can still provide a high level of security for customer information.
It's worth noting that the choice between hardware and software encryption modules depends on the specific needs of the payment device. Hardware encryption modules can provide a higher level of security and are often used in devices that require a high level of protection, such as ATMs or point-of-sale (POS) terminals in high-risk environments. Software encryption modules, on the other hand, can be more flexible and adaptable to different types of payment devices.
I had the privilege to shadow experienced Qualified PIN Assessors (QPA) do their thing. They have tools to plug into POI devices to test the hardware and software modules. I was surprised to learn you can even scan the devices with NMAP to look for open ports and in one case, port 69 was open! QPA's ensure that merchants are using payment devices that meet the necessary security standards and requirements and produce a report on compliance when finished. The process is interesting to watch.
The use of a payment device, or Point of Interaction, is essential for protecting customer information during the payment authorization process and there is more going on under the hood than meets the eye. If you find encryption interesting as I do, the Security Standards Council encourages anyone to attend their
Qualified PIN Assessor (QPA) Qualification training. Check out the SSC's
website for more information.