The Green Sheet Online Edition
May 14, 2007 • Issue 07:05:01
Forging ahead with PCI PED
Last month, I pointed out that Dec. 31, 2007, is the last day on which acquirers can purchase Visa-approved PIN entry devices (PEDs). This month, I'd like to dig deeper into the ramifications of the coming Payment Card Industry (PCI) Data Security Standard PED era.
If nothing else, one thing is certain: Once we embark upon the PCI PED path, we can never go back. PCI PED requirements are a much needed _ and some would say overdue _ strengthening of PIN pad security. Certainly, we're all aware of major compromises to cardholder data security resulting from the use of older PEDs.
PCI PED is designed to raise the hurdle to hacking attacks by making it much more expensive to tamper with or otherwise compromise PEDs. PCI PED requires better physical protection of sensitive data, improved defenses against keypad tapping, stricter defenses against display tampering and stricter key management.
Come Jan. 1, 2008, the only PEDs you'll be able to purchase from equipment manufacturers will be those that are PCI PED approved.
At VeriFone, we have been preparing for this day for two years, making sure that we have upgrades or next-generation replacements to meet the needs of existing customers in various markets.
The deadline presents significant opportunity for you, as ISOs and merchant level salespeople (MLSs). In addition to heightened security, new products designed for the PCI PED era will, in general, provide your customers with greater value, lower cost of ownership, increased reliability, a more user-friendly design, better performance and speed, and in some cases, multimedia capabilities.
As with any major industry shift, your primary function will be to educate your customers on what is occurring and how it will affect them.
PCI PED history
PCI is a set of standards that resulted from Visa U.S.A. and MasterCard Worldwide agreeing in 2004 to align their separate PED requirements into an industry-wide standard. They were later joined in this effort by the Japanese-based card brand, JCB International Co. Ltd.
Subsequently, Visa, MasterCard, JCB, American Express Co. and Discover Financial Services LLC collaborated on PCI, a broader initiative covering the storage, transmission and processing of cardholder data.
In 2006, these five card brands formed the PCI Security Standards Council, opening up participation to a broad range of industry participants.
Finally, in April 2007, Visa, MasterCard and JCB formally transferred responsibility for PCI PED to the council, providing a more formal structure for future development of PED requirements.
Currently, PEDs receive PCI PED approval once they've gone through a third-party approval process. The standard is scheduled to be revised every three years. Version 2 was finalized in April 2007 and will take effect a year from now.
PCI PED repercussions
First off, your customers don't need to panic. Visa PED-approved terminals are still acceptable for usage; manufacturers just can't sell them for PIN-entry use as of Jan. 1, 2008. However, your customers need to be aware that older devices predating the Visa PED standard will need to be pulled out of service by July 2010.
If you've got Visa PED-approved systems in stock after Dec. 31, 2007, there is no current prohibition against your supplying those to customers, according to Visa.
However, strategically it would make sense to reserve those for multi-unit customers that will require inline replacements or want additional older units to maintain uniformity until they are ready to move to a newer line.
The wisest course is to educate customers on the advisability of moving to PCI PED-approved systems. This will help ensure that they comply with the latest requirements and benefit from the latest protections against security assaults.
It will also reassure them that they will be able to obtain replacement and supplemental PCI PED-approved units down the line, something that is not the case with Visa PED-approved systems.
Educate yourself on your supplier's PCI adoption or replacement strategy for each product line your customers use. VeriFone's PCI PED product plans are outlined at www.verifone.com/industry/security/pdf/PCI_PED_solutions.pdf.
Most important: If you're not already doing so, sell security as a feature. It's in your customers' best interests to be up to date with security measures. It's unlikely that security requirements will abate; if anything, they will become stronger.
Criminal elements are constantly on the hunt in today's electronic transaction world. They seek the weakest link to exploit, because that is where they can make money most quickly, with least risk. Merchants who become that "weakest link" will ultimately suffer the consequences.
Therefore, it is important that you and your customers understand your respective responsibilities.
Every participant in the electronic transaction value chain has a role in the maintenance of secure payments. As the famous saying goes, water flows downhill, as do blame and financial penalty.
The consequences of a compromise are multiple, including:
- Costs for investigating the cause
- Card Association fines passed from Association to acquirer to merchant
- Potential Federal Trade Commission and other government agency fines
- Loss of consumer confidence and damage to a merchant's reputation
- Actual fraud losses
- Cardholder inconvenience.
Your role as a consultative sales professional is extremely important. To be effective, you must understand the security issues affecting your merchants.
But this burden comes with a payoff: The more you educateyour customers, the more willing they will be to pay for up-to-date payment systems.
Bulent Ozayaz is VeriFone Vice President of Marketing for North America. He can be reached at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.