GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

The FTC nabs MPI: A cautionary tale for ISOs

News

Industry Update

Visa's changes muddy interchange waters

Cynergy finds synergy in Abanco gateway

Visa may publish list of registered ISOs

Features

AgenTalkSM:
Bart Kohler

Deterring ATM ram raids

Tracy Kitten
ATMmarketplace.com

Views

Forging ahead with PCI PED

Bulent Ozayaz
VeriFone

Education

Street SmartsSM:
The POS system buzz

Dee Karawadra
Impact PaySystem

PCI priority: No agent left behind

Michael Petitti
AmbironTrustWave

All-star processing – Part II: Retaining your MVPs

Marcelo Paladini
Cynergy Data

Card Association rules to work by – Part II

David H. Press
Integrity Bankcard Consultants Inc.

Steer clear of sales pitfalls

J. David Siembieda
CrossCheck Inc.

E-wallets: Worth the risk?

Theodore F. Monroe et al.
Attorneys at Law

Company Profile

Amacai Information Corp.

New Products

Holy grail in a Bluetooth card reader

MagneSafe P55 card reader
MagTek Inc.

Kiosk revs up fast food delivery

iOrder food service kiosk
VeriFone

Inspiration

Prepare for the worst, plan for the best

Departments

Forum

Resource Guide

Datebook

A Bigger Thing

The Green Sheet Online Edition

May 14, 2007  •  Issue 07:05:01

previous next

Forging ahead with PCI PED

By Bulent Ozayaz

Last month, I pointed out that Dec. 31, 2007, is the last day on which acquirers can purchase Visa-approved PIN entry devices (PEDs). This month, I'd like to dig deeper into the ramifications of the coming Payment Card Industry (PCI) Data Security Standard PED era.

If nothing else, one thing is certain: Once we embark upon the PCI PED path, we can never go back. PCI PED requirements are a much needed _ and some would say overdue _ strengthening of PIN pad security. Certainly, we're all aware of major compromises to cardholder data security resulting from the use of older PEDs.

PCI PED is designed to raise the hurdle to hacking attacks by making it much more expensive to tamper with or otherwise compromise PEDs. PCI PED requires better physical protection of sensitive data, improved defenses against keypad tapping, stricter defenses against display tampering and stricter key management.

Come Jan. 1, 2008, the only PEDs you'll be able to purchase from equipment manufacturers will be those that are PCI PED approved.

At VeriFone, we have been preparing for this day for two years, making sure that we have upgrades or next-generation replacements to meet the needs of existing customers in various markets.

The deadline presents significant opportunity for you, as ISOs and merchant level salespeople (MLSs). In addition to heightened security, new products designed for the PCI PED era will, in general, provide your customers with greater value, lower cost of ownership, increased reliability, a more user-friendly design, better performance and speed, and in some cases, multimedia capabilities.

As with any major industry shift, your primary function will be to educate your customers on what is occurring and how it will affect them.

PCI PED history

PCI is a set of standards that resulted from Visa U.S.A. and MasterCard Worldwide agreeing in 2004 to align their separate PED requirements into an industry-wide standard. They were later joined in this effort by the Japanese-based card brand, JCB International Co. Ltd.

Subsequently, Visa, MasterCard, JCB, American Express Co. and Discover Financial Services LLC collaborated on PCI, a broader initiative covering the storage, transmission and processing of cardholder data.

In 2006, these five card brands formed the PCI Security Standards Council, opening up participation to a broad range of industry participants.

Finally, in April 2007, Visa, MasterCard and JCB formally transferred responsibility for PCI PED to the council, providing a more formal structure for future development of PED requirements.

Currently, PEDs receive PCI PED approval once they've gone through a third-party approval process. The standard is scheduled to be revised every three years. Version 2 was finalized in April 2007 and will take effect a year from now.

PCI PED repercussions

First off, your customers don't need to panic. Visa PED-approved terminals are still acceptable for usage; manufacturers just can't sell them for PIN-entry use as of Jan. 1, 2008. However, your customers need to be aware that older devices predating the Visa PED standard will need to be pulled out of service by July 2010.

If you've got Visa PED-approved systems in stock after Dec. 31, 2007, there is no current prohibition against your supplying those to customers, according to Visa.

However, strategically it would make sense to reserve those for multi-unit customers that will require inline replacements or want additional older units to maintain uniformity until they are ready to move to a newer line.

The wisest course is to educate customers on the advisability of moving to PCI PED-approved systems. This will help ensure that they comply with the latest requirements and benefit from the latest protections against security assaults.

It will also reassure them that they will be able to obtain replacement and supplemental PCI PED-approved units down the line, something that is not the case with Visa PED-approved systems.

Educate yourself on your supplier's PCI adoption or replacement strategy for each product line your customers use. VeriFone's PCI PED product plans are outlined at www.verifone.com/industry/security/pdf/PCI_PED_solutions.pdf.

Selling security

Most important: If you're not already doing so, sell security as a feature. It's in your customers' best interests to be up to date with security measures. It's unlikely that security requirements will abate; if anything, they will become stronger.

Criminal elements are constantly on the hunt in today's electronic transaction world. They seek the weakest link to exploit, because that is where they can make money most quickly, with least risk. Merchants who become that "weakest link" will ultimately suffer the consequences.

Therefore, it is important that you and your customers understand your respective responsibilities.

Every participant in the electronic transaction value chain has a role in the maintenance of secure payments. As the famous saying goes, water flows downhill, as do blame and financial penalty.

The consequences of a compromise are multiple, including:

Your role as a consultative sales professional is extremely important. To be effective, you must understand the security issues affecting your merchants.

But this burden comes with a payoff: The more you educateyour customers, the more willing they will be to pay for up-to-date payment systems.

Bulent Ozayaz is VeriFone Vice President of Marketing for North America. He can be reached at bulent_ozayaz@verifone.com.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Electronic Merchant Systems | Board Studios