GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

New payment player flexes muscle

News

Industry Update

Interchange dodges a bullet

Two more terminal types under PCI SSC umbrella

Small-business confidence rising

Contactless faring well

Terrorism funded with stolen data

Flying for wishes, Isaacman sets record

Visa Inc. interchange rates as of April 2009

Features

Data security dominates ETA Expo

Selling Prepaid

Prepaid in brief

The Fair Gift Card Act of 2009:
Good intentions, disastrous results

Brad Fauss
Springbok Services Inc.

The ISO challenge: Selling prepaid

Drilling down on the prepaid-unbanked relationship

Views

Protect merchants with the basics

Biff Matthews
CardWare International

The drive toward integrated solutions

Robbie Lopez
VeriFone

Extending security beyond assessments

Michael Petitti
Trustwave

Education

Street SmartsSM:
What does your billboard say?

Jon Perry and Vanessa Lang
888QuikRate.com

What it takes to thrive in business

Curt Hensley
CSH Consulting

PCI: Taking the proper path

Tim Cranny
Panoptic Security Inc.

Facing the elephants

Jeff Fortney
Clearent LLC

Company Profile

Merchant Cash and Capital

New Products

Private pathway for POS data

AprivaNet
Company: Apriva

Boundless processing

Whizpay
TalentBeat

Revenue streams through referrals

VendorVantage
AdvanceMe Inc.

Inspiration

Capitalizing on distractions

Miscellaneous

2009 Calendar of events

Departments

Forum

Resource Guide

Datebook

A Bigger Thing

The Green Sheet Online Edition

May 11, 2009  •  Issue 09:05:01

previous next

Two more terminal types under PCI SSC umbrella

With concern growing in the payments industry about the security and fraud issues surrounding PIN-based payment devices, the Payment Card Industry (PCI) Security Standards Council (SSC) widened its reach in April 2009 and introduced new security requirements for two payment devices previously unregulated.

The two devices added to the SSC's regulatory list are unattended payment terminals (UPTs) and hardware security modules (HSMs). The new regulations fall under the umbrella of an existing PCI DSS program for PIN entry devices (PED), which targets PIN-based technology more generally.

"[PED] was in existence with three of our brands - with Visa, Mastercard and JCB for some time, and the council took over the [PED] standard last year," said Bob Russo, General Manager of the PCI SSC.

Closer scrutiny

And for many merchants, Russo added, the UPT regulations will be of particular importance. UPTs are PIN pad terminals operated by a consumer in a merchant's absence. Common examples include gas station pumps, parking garage machines, kiosks and concert ticketers. Not surprisingly, UPT scenarios can be risky.

"Obviously, you don't have the physical security as with somebody who's sitting at the counter," said Dr. Tim Cranny, Chief Executive Officer for PCI compliance solutions provider, Panoptic Security Inc. "There's much more danger for someone physically opening up the box and looking inside and trying to attach their hardware, things like that."

That is precisely the kind of crime the SSC's newest product regulations are designed to curtail, and hopefully, eliminate. Russo said the regulations would ensure "two types of security [for PIN pads], physical and logical."

Getting physical

"The physical side involves the ability to make [the POS machines] tamper proof, to a certain extent," Russo said. "So, if you do in fact try and open one of these things ... it should become unusable.

"Or, if you were to open it up, nobody could insert anything in it or steal credit information or PIN information and send it to somebody in the parking lot" - a practice known as wardriving.

Russo said the "logical side" centered on the proper encryption of customer PIN information. He added that UPT security was especially tricky because the machines are more complex and have more parts to protect than standard terminals.

Multilayer challenges

"The major difference between a UPT and a PED is that the UPT has a number of additional moving parts, if you will, so you've got an encrypted PIN pad and in most cases you've got a printer; you've got the ability to enter data on a touch screen and you've got a back end database it goes through - so there are interfaces in there, and then on top of all that you've actually got the box the thing sits on," said Russo.

He added that effective use of multifaceted security targeting more than just one component of a UPT machine was the industry's biggest challenge relating to PIN-transaction security.

Russo said an HSM, on the other hand, was an "embedded piece of [security] hardware [within a payment terminal]" and a much greater concern for manufacturers than merchants, adding that merchants just need to make sure they purchase equipment compliant with the PED program standard.

Echoing that statement, Cranny said, "PED terminals are getting safer, yes, so using [PCI SCC] certified modules goes a long way towards tighter encryption security." For more information, visit www.pcisecuritystandards.org/pdfs/PCI_PED_General_FAQs.pdf.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Super G Capital LLC | Humboldt Merchant Services | Impact Paysystems | Electronic Merchant Systems