GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Transportation payments in transition


Industry Update

Financial reform bill passes Senate, interchange targeted

Why won't Apple take cash for iPads?

PCI SSC unveils new PTS requirements

Trade Association News

Selling Prepaid

Prepaid in brief

Prepaid's role in monetizing social media

A new benefits option for Floridians


The drive to innovate

Scott Henry
VeriFone Inc.

Canada: An untapped marketplace

Jeffrey Shavitz
Charge Card Systems Inc.


Street SmartsSM:
What does a merchant get for a PCI fee? - Part 1

Ken Musante
Eureka Payments LLC

The art of cross-marketing: How to maximize existing client relationships and boost sales

Peggy Bekavac Olson
Strategic Marketing

Consult your way to success

Tom Hennigan
Retail Cloud

Digging into PCI - Part 12: Maintain a policy that addresses information security for employees and contractors

Tim Cranny
Panoptic Security Inc.

A primer on accountability

Jeff Fortney
Clearent LLC

How to use technology to redefine today's economy

Daniel Burrus
Burrus Research Associates Inc.

Company Profile

NETSURION (formerly Vendor Safe Technologies)

New Products

Skimming alert system

VeriFone PED Authentication Service
Verifone Inc.

End-to-end bulwark

E3 Secure
Heartland Payment Systems Inc.


Change - it never changes



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

June 14, 2010  •  Issue 10:06:01

previous next

New Products

Skimming alert system

Product: VeriFone PED Authentication Service

We tend to think of data thieves as cyber criminals punching away on some remote computer keyboard, working invisibly and anonymously. In the world of credit card data theft, "skimming" is a distinct type of crime, as it involves an act of physical intrusion. Often, terminal devices are moved from their legitimate origin and either put back some time later (with a skimmer built in) or sold to another buyer.

A new service from terminal manufacturer VeriFone Inc., called the VeriFone PED Authentication Service, aims to clamp down on such terminal tampering. The service monitors and tracks a number of VeriFone-issued terminals using something called the Unique Manufacturers Authentication Key (UMAK) - an electronic code embedded in PIN entry devices (PEDs) of certain VeriFone terminals.

The service is compatible with VeriFone's VX Series, MX Series, SC 5000 and Omni 3700 Series devices, which account for between 80 and 90 percent of VeriFone terminals in use, according to Paul Rasori, VeriFone's Senior Vice President of Marketing.

"The deadline for unapproved [PED] devices is [July] 2010, but devices that followed are going to be valid for use in the marketplace until 2014," Rasori said. "Those devices were built on security technology that's now 10 years old.

"The fact is that we're seeing the sophistication of criminal attacks growing quite a bit, with criminals exploiting these older devices in the marketplace. Without mandates for acquirers to remove those devices, we thought there was another layer of security that would be required here."

Secret code

The UMAK is, in fact, a secret codification of information that's unique to each PED - including the device's serial number and precise location (that is, street address and, where applicable, the exact lane or counter where it is used at a given merchant outlet). Only VeriFone knows the UMAK on any one of its products.

The VPAS service uses the UMAK to detect anything out of the ordinary with a given PED. Merchants who subscribe to the service will have their terminals remotely programmed to send out a signal that VeriFone's monitoring system receives at regular intervals. That signal will contain the UMAK that's programmed into the device, indicating that it is locked down at its proper location.

If a device is removed from its location - as devices often are, even only momentarily, when they are tampered with - the UMAK signal is interrupted, alerting the company that the device is no longer in its proper place (or wasn't in its proper place for a certain stretch of time, but is now). VeriFone can then notify the owner of the terminal that there may be tampering; if the terminal isn't still missing, the merchant is advised to inspect it for damage or rogue attachments.

The presence of rogue devices with skimming capabilities is indicated by either the lack of a UMAK signal or the transmission of an aberrant one. In most cases, the replacement device won't send out a UMAK signal, and the absence of that signal will trigger an alarm.

No 'spoofing'

A more sophisticated criminal who fraudulently programs a rogue terminal with address information will also trigger an alarm because the programmed information won't match the encrypted format of the UMAK, which is known only to officials at VeriFone. Anything other than the original code coming through would indicate that the device is fraudulent, Rasori said.

"The premise behind the VPAS service is we've developed a centralized database of all these devices and are able to track both the serial number of each device and also the location of the device right down to the lane it's installed in," Rasori said. "With UMAK, we're able to securely authenticate [that a device is in its proper place] using the secret code that VeriFone has which relates to each device. So it's impossible for criminals to spoof that system because they'd never be able to recreate that information."

Rasori added that the removal of the device for legitimate repairs can trigger a false positive emergency signal. But he added that "every merchant acquirer has access to a web portal where they can register different types of events like that, where they can say device with serial number such and such was taken out of service for repair. Then that device is basically put on hold, and when they want to put it back into service, they can go back in and say, 'This is where the device is going to be and where it should be.'"

VeriFone Inc.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Electronic Merchant Systems | Board Studios