The Green Sheet Online Edition
October 26, 2009 • Issue 09:10:02
VeriFone addresses PCI enforcement confusion
A large part of what complicates compliance with the Payment Card Industry (PCI) standards for data, PIN entry device and payment application security is the frequent, though necessary, changing of the rules to keep up with evolving security threats.
To make things easier, the PCI Security Standards Council (PCI SSC) established specific timelines by which upgrades must be made to payment terminals. Yet, compliance is enforced by the card brands, not the PCI SSC.
Furthermore, the rules can be tweaked by individual acquirers eager to ensure the compliance of their merchants and thus avoid liability for data breaches or rules violations.
Such discrepancies in the way compliance is enforced can be a source of confusion among merchants, ISOs and merchant level salespeople.
An Oct. 8, 2009, webinar put on by secure payment solutions provider VeriFone (available on VeriFone's Web site at www.verifonezone.com) addressed this and other issues relating to the PCI sunset dates and compliance generally. The webinar, hosted by Lori Breitzke, Director of Marketing for VeriFone, clarified when those sunset dates are, the differences between each one and other related issues.
Two important sunset dates are July 2010 and December 2014, and both relate to PIN Entry Device (PED) terminals. The first date is the time by which terminals manufactured before 2004 must be swapped; the latter pertains to terminals manufactured between 2004 and 2007. Those cannot be used after 2014, but their sale has been forbidden since the end of 2007.
Meanwhile, PED terminals built after 2007 - all of which contain Triple Data Encryption Standard (DES) encryption, which is the key feature in all this - can as yet be used indefinitely.
According to Breitzke, there is "a whole lot of confusion over what the impact is" of the PCI compliance sunset dates because of some of the additional rules they have spawned.
For example, Visa has required that summaries be submitted of all triple DES-compliant terminals and "attendant POS activity" by October 2009.
Visa stated further that beginning in August 2012, acquirers may be assessed fines for "fostering non-triple DES compliant merchants or agents" even though triple DES encryption won't be required of all merchants by the PCI SSC until 2014.
"We know there is one major acquirer that has come out and said they are going to be charging noncompliance fees," Breitzke said. "But we've heard that several large acquirer processors have been charging these fees, so it's really up to the ISO to communicate with the acquirer processor to figure that out.
"But I think that's going to be very likely [that acquirers in general will began levying fees for noncompliance] because the acquirer is the one that's going to be liable. So a way for them to recoup some of those costs of noncompliance or a breach would be to charge some kind of a fee."
Breitzke said that for merchants using terminals without PIN debit, there is "absolutely no compliance or security mandate to get rid of it." Nonetheless, she stressed that, for security reasons, having an updated terminal is always a good idea.
Breitzke also mentioned an omission in the PCI SSC's merchant self-assessment security questionnaire used to check various compliance points: It does not contain any questions that specifically address PED devices."We have spoken with the PCI Security Council, and they do plan to update that questionnaire," she said.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.