GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Holiday season warrants new pursuits


Industry Update

Congress gives interchange reformers luke warm reception

VeriFone addresses PCI enforcement confusion

First Data STARs with PayPal

Visa prefers data-field encryption

Encryption debate heads to court

Payments a strong presence at the AFP


A virtual RDC roundup

Research Rundown

Selling Prepaid

Prepaid in brief

What is stored-value?

New alternative takes flight

Top 15 tips for gift card success


War of words over interchange heats up

Patti Murphy
The Takoma Group


Street SmartsSM:
Don't let distractions hobble your business

Jon Perry and Vanessa Lang

Complexities of multicurrency processing

Caroline Hometh

Tips for new sales executives

Jeffrey I. Shavitz
Charge Card Systems Inc.

Cloud security, a weighty issue

Dale S. Laszig
DSL Direct LLC

Look ahead, prospect and prosper

Bob Schoenbauer
Capitol Payment Systems Inc.

Conducting effective meetings

Vicki M. Daughdrill
Small Business Resources LLC

Company Profile

Whitehall Capital Advisors LLC

New Products

Beefed up RDC

Tellerscan 240
Digital Check Corp.

Fortifying e-commerce with signatures

SignatureLink Inc.


Get real with expectations



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

October 26, 2009  •  Issue 09:10:02

previous next

VeriFone addresses PCI enforcement confusion

A large part of what complicates compliance with the Payment Card Industry (PCI) standards for data, PIN entry device and payment application security is the frequent, though necessary, changing of the rules to keep up with evolving security threats.

To make things easier, the PCI Security Standards Council (PCI SSC) established specific timelines by which upgrades must be made to payment terminals. Yet, compliance is enforced by the card brands, not the PCI SSC.

Furthermore, the rules can be tweaked by individual acquirers eager to ensure the compliance of their merchants and thus avoid liability for data breaches or rules violations.

Such discrepancies in the way compliance is enforced can be a source of confusion among merchants, ISOs and merchant level salespeople.

An Oct. 8, 2009, webinar put on by secure payment solutions provider VeriFone (available on VeriFone's Web site at addressed this and other issues relating to the PCI sunset dates and compliance generally. The webinar, hosted by Lori Breitzke, Director of Marketing for VeriFone, clarified when those sunset dates are, the differences between each one and other related issues.

Those dates

Two important sunset dates are July 2010 and December 2014, and both relate to PIN Entry Device (PED) terminals. The first date is the time by which terminals manufactured before 2004 must be swapped; the latter pertains to terminals manufactured between 2004 and 2007. Those cannot be used after 2014, but their sale has been forbidden since the end of 2007.

Meanwhile, PED terminals built after 2007 - all of which contain Triple Data Encryption Standard (DES) encryption, which is the key feature in all this - can as yet be used indefinitely.

According to Breitzke, there is "a whole lot of confusion over what the impact is" of the PCI compliance sunset dates because of some of the additional rules they have spawned.

For example, Visa has required that summaries be submitted of all triple DES-compliant terminals and "attendant POS activity" by October 2009.

Visa stated further that beginning in August 2012, acquirers may be assessed fines for "fostering non-triple DES compliant merchants or agents" even though triple DES encryption won't be required of all merchants by the PCI SSC until 2014.

New fees

"We know there is one major acquirer that has come out and said they are going to be charging noncompliance fees," Breitzke said. "But we've heard that several large acquirer processors have been charging these fees, so it's really up to the ISO to communicate with the acquirer processor to figure that out.

"But I think that's going to be very likely [that acquirers in general will began levying fees for noncompliance] because the acquirer is the one that's going to be liable. So a way for them to recoup some of those costs of noncompliance or a breach would be to charge some kind of a fee."

Breitzke said that for merchants using terminals without PIN debit, there is "absolutely no compliance or security mandate to get rid of it." Nonetheless, she stressed that, for security reasons, having an updated terminal is always a good idea.

Breitzke also mentioned an omission in the PCI SSC's merchant self-assessment security questionnaire used to check various compliance points: It does not contain any questions that specifically address PED devices."We have spoken with the PCI Security Council, and they do plan to update that questionnaire," she said.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Electronic Merchant Systems | Board Studios