With concern growing in the payments industry about the security and fraud issues surrounding PIN-based payment devices, the Payment Card Industry (PCI) Security Standards Council (SSC) widened its reach in April 2009 and introduced new security requirements for two payment devices previously unregulated.
The two devices added to the SSC's regulatory list are unattended payment terminals (UPTs) and hardware security modules (HSMs). The new regulations fall under the umbrella of an existing PCI DSS program for PIN entry devices (PED), which targets PIN-based technology more generally.
"[PED] was in existence with three of our brands - with Visa, Mastercard and JCB for some time, and the council took over the [PED] standard last year," said Bob Russo, General Manager of the PCI SSC.
And for many merchants, Russo added, the UPT regulations will be of particular importance. UPTs are PIN pad terminals operated by a consumer in a merchant's absence. Common examples include gas station pumps, parking garage machines, kiosks and concert ticketers. Not surprisingly, UPT scenarios can be risky.
"Obviously, you don't have the physical security as with somebody who's sitting at the counter," said Dr. Tim Cranny, Chief Executive Officer for PCI compliance solutions provider, Panoptic Security Inc. "There's much more danger for someone physically opening up the box and looking inside and trying to attach their hardware, things like that."
That is precisely the kind of crime the SSC's newest product regulations are designed to curtail, and hopefully, eliminate. Russo said the regulations would ensure "two types of security [for PIN pads], physical and logical."
"The physical side involves the ability to make [the POS machines] tamper proof, to a certain extent," Russo said. "So, if you do in fact try and open one of these things ... it should become unusable.
"Or, if you were to open it up, nobody could insert anything in it or steal credit information or PIN information and send it to somebody in the parking lot" - a practice known as wardriving.
Russo said the "logical side" centered on the proper encryption of customer PIN information. He added that UPT security was especially tricky because the machines are more complex and have more parts to protect than standard terminals.
"The major difference between a UPT and a PED is that the UPT has a number of additional moving parts, if you will, so you've got an encrypted PIN pad and in most cases you've got a printer; you've got the ability to enter data on a touch screen and you've got a back end database it goes through - so there are interfaces in there, and then on top of all that you've actually got the box the thing sits on," said Russo.
He added that effective use of multifaceted security targeting more than just one component of a UPT machine was the industry's biggest challenge relating to PIN-transaction security.
Russo said an HSM, on the other hand, was an "embedded piece of [security] hardware [within a payment terminal]" and a much greater concern for manufacturers than merchants, adding that merchants just need to make sure they purchase equipment compliant with the PED program standard.
Echoing that statement, Cranny said, "PED terminals are getting safer, yes, so using [PCI SCC] certified modules goes a long way towards tighter encryption security." For more information, visit www.pcisecuritystandards.org/pdfs/PCI_PED_General_FAQs.pdf.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next