learn more

Public Relations Blog


Our Public Relations Blog focuses on helping others to stay up-to-date
with the latest events and news in the merchant services industry

learn more

Why choose Merchant Service Provider?


Increase your sales if you currently do not accept credit cards, or lower your costs by
switching to us if you currently accept credit cards. Satisfaction 100% guaranteed.

Plan Ahead For A Hot Summer

January 4th, 2010

Share/Bookmark


Many ISO’s and MLSs do not fully understand the initiative for enhanced pinpad security, which is now being managed by the PCI Security Standards Council (PCI SSC), PIN Transaction Security program. Normally, it’s not that merchants and those servicing their accounts don’t want to comply; it is that they do not know where to start in the process. There are many terms and acronyms used to speak about the process, which makes it all the more confusing.

Compliance dates are approaching fast. In this article, I will explain a basic understanding of PCI compliance.

What’s the big deal?

Cyber thieves are continuously targeting credit card data, but it is the data along with the pin numbers that is the goldmine. Why is this?

Counterfeiting credit cards and making multiple purchases can definitely provide a criminal with a decent living, but the pin number gives the thieves information that can deplete the cardholder’s bank account.

New tools have been developed by criminals, like memory scraping malware, to snatch pin numbers of consumers.

A Verizon Business webinar reported that a Russian gang of criminals offers a data encryption cracking device for a fee. If you ship a POS PED to the gang, they will return the keys within two days for $250,000, or you get your money back, according to a RetailPayments blog.

It is almost unimaginable for decoding to take place in such a short amount of time, but with rising demand and new technology these decoding devices are rising at an alarming rate.

What is this all about?

The PED security requirements issued by Visa apply to all hardware that accepts pin entry card transactions. It is designed to ensure security of these transactions. A PED usually consists of a screen display, keypad, a processor, storage, and firmware for PIN processing.

Data is kept secure by not allowing the device to produce a clear text PIN. If the device fully meets all security requirements, it reduces the chance of the device being embedded with a bug that would disclose PIN information.

The security requirements also have guidelines for the management of devices up to the point of initial loading of the acquirers secret encryption keys.

Device management includes its manufacturing, encryption, delivery, and even storage. During its lifecycle, these guidelines are made to reduce unauthorized modifications to the device.

How has the PED security standard become enhanced?

The PED standard was restructured along with the PCI data security standard. In 2004, the Visa company mandated that all POS PEDs had to support triple data encryption, and be approved by Visa directly. MasterCard and JCB followed and joined Visa to come up with joint security and approval requirements.

The PCI SSC gained full responsibility in 2007 to be the source of information for all PED requirements and the PCI PED approval list.

What are the different kinds of PEDs?

-Unattended devices: Made for self-service situations, like pay-at-the-pump, ATMs, and kiosks.
-Attended devices: Sales clerk managed: retail stores, delis, etc.
-Hardware security modules: Support various debit features. Not customer facing.

How to merchants comply with POS PED requirements?

Merchants must ensure that they are using PCI PED approved pinpads with their terminals. Devices that aren’t approved need to be out of use by July 1, 2010, if it has not been upgraded to the new security standards.

You can check your device against one of two lists. Visa has a list of all approved devices, as does PCI SSC.

The lists can be found at:
www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.html

https://partnernetwork.visa.com/vpn/global/category.do?categoryId=19&documentId=33&userRegion=1

What is the TDES in regards to PED security?

In addition to ensuring that your pin devices are all approved, Visa mandates that all devices be enabled with TDES by July 1, 2010. TDES is an encryption standard that greatly strengthens the encryption and reduces the risk of a compromise from an attack.

Acquirers can be assessed fines for having merchants that are using non compliant PIN devices by August of 2012. Even though it seems far away, the July 1st mandate should not be ignored.

If a PIN is compromised resulting in a data breach, the acquirer may not be protected by Visa’s liability protection program. The acquirer could be liable for penalties associated with the breach.

Although the acquirers are not being fined until 2012, Visa reserves the right to fine the merchant directly at any time.

How do merchants comply with TDES?

A merchant must determine if the pinpad used it Triple DES capable. Most pin pads purchased in the last five years are capable of this feature.

If you already have a Triple DES capable pinpad, you can make arrangements with your provider to have the pinpad injected.

Older devices were only made to support single DES. These terminals must be upgraded to new devices. External pinpads are also an option.

Start planning!

July 2010 is not that far away.