GS Logo
The Green Sheet, Inc

Please Login

Banner Ad
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

Uncle Sam's finger in the payment pie: A legislative update

Patti Murphy
The Takoma Group

News

Industry Update

Interchange mandates might help, but not everyone

Holidays a boon for data thieves, too

ETAU now in session

An AmEx Revolution

Features

GS Advisory Board:
The best moves of 2009 - Part I

Research Rundown

Selling Prepaid

Prepaid in brief

Origins of the gift card mall

Walter Paulsen
Payments Industry Consultant

Views

Principles for success in 2010

Biff Matthews
CardWare International

Automate or flounder

Scott Henry
VeriFone

Education

Street SmartsSM:
To train or not to train

Jon Perry and Vanessa Lang
888QuikRate.com

Digging into PCI - Parts 5 and 6:
Maintain a vulnerability management program

Tim Cranny
Panoptic Security Inc.

The annual marketing and communications plan

Peggy Bekavac Olson
Strategic Marketing

PIN entry devices: Plan now for July 2010

Joan Herbig
ControlScan

Creating positive consequences:
Three tips

Jeff Fortney
Clearent LLC

Company Profile

Performance Training Systems Bankcard Boot Camp

New Products

Digitizing Cash

CashLINK
Garda

Name recognition for ISOs

CarpéCharge terminal branding
CarpéCharge

Inspiration

Work that family mojo

Departments

10 Years ago in
The Green Sheet

Forum

Resource Guide

Datebook

Skyscraper Ad

The Green Sheet Online Edition

December 14, 2009  •  Issue 09:12:01

previous next

PIN entry devices: Plan now for July 2010

By Joan Herbig

If you are an acquirer, ISO or merchant level salesperson, you are not alone if you do not fully understand the PIN entry device (PED) security initiative, now managed under the PCI Security Standards Council's (PCI SSC) PIN Transaction Security program. Typically, it's not that merchants and those serving them don't want to comply; it's that they don't know where to start. PED requirements are made all the more intimidating by the multitude of terms and acronyms used.

Important Visa Inc. compliance dates are quickly approaching. This article is intended to provide a basic understanding of PED security requirements.

Why focus on PED security?

While credit card data continues to be a primary target for cyber thieves, it is cardholder data coupled with the debit PIN that commands top dollar on the black market today. Why?

Criminals can certainly make a decent living counterfeiting credit cards and making fraudulent purchases, but PINs equip thieves with the information they need to deplete a consumer's banking account - and cash is king.

According to the Verizon Business 2009 Data Breach Investigations Report, "The higher value commanded by PIN data has spawned a cycle of innovation in attack methodologies.

Criminals have re-engineered their processes and developed new tools - such as memory-scraping malware - to steal this valuable commodity. This has led to the successful execution of complex attack strategies previously thought to be only theoretically possible."

Furthermore, according to the RetailPayments blog, a Verizon Business webinar reported on a Russian criminal gang that offers a fee-based data encryption standard (DES)-cracking service. Ship a POS PED to the gang overnight, and they will return the DES keys within 72 hours for $250,000, or you get your money back.

Years ago, it was unimaginable that encryption schemes could be decoded in such a short time. However, with rising demand and improved technology, encryption-cracking services are emerging at a disturbing rate.

What is PCI PED security all about?

Visa's PED security requirements apply to all hardware devices that accept PIN entry for transaction processing and are designed to ensure the security of those transactions. A PED typically consists of a keypad, a screen display for user interaction, firmware, a processor and storage for PIN processing.

PEDs are designed to keep data secure by such means as preventing the device from producing a clear-text PIN. A PED that fully meets security requirements also has a number of other security features, including those that minimize the likelihood of the device being stolen or embedded with a PIN-disclosing bug.

The PED security requirements also include guidelines for device management capabilities up to the point of initial "key loading" - the act of loading the acquirer's secret encryption keys.

The full scope of device management includes the logistics and control of the device during its manufacture, encryption, delivery and storage. In aggregate, these requirements are designed to prevent unauthorized modifications to the security features of the device at any point during its lifecycle.

How has the PED security standard evolved?

The PED standard evolved alongside the Payment Card Industry (PCI) Data Security Standard (DSS). Visa got the ball rolling in 2004 when it mandated that newly purchased POS PEDs had to be Visa-approved and to support Triple DES (TDES). Subsequently, MasterCard Worldwide and JCB International Co. Ltd. joined forces with Visa to jointly administer the PED security requirements and approval procedures.

In 2007, the PCI SSC assumed responsibility as the single source of information for PED requirements, including the PCI PED equipment approval list.

What kinds of PEDs exist?

Following are the types of PEDs in use today:

I will focus on the mandate related to attended POS PEDs. You can learn more about PED testing requirements for unattended POS PEDs and HSMs by visiting the PCI SSC's Web site at www.pcisecuritystandards.org.

How do merchants comply with attended POS PEDmandates?

Merchants who accept PIN debit transactions must ensure they are using approved PEDs. Any "never-approved" device must be decommissioned by July 1, 2010, if it has not been upgraded to meet current standards.

To determine if a device is approved, merchants should check the device against one of two lists. Visa still maintains a list of approved PEDs. The second list, "PCI Approved PIN Entry Devices," is maintained by the PCI SSC. The device must match the model name, hardware number, firmware number and corresponding number if applicable.

For the list of PCI-approved PIN entry devices, visit www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.html. For the list of Visa-approved PIN entry devices, go to https://partnernetwork.visa.com/vpn/global/category.do?categoryId=19&documentId=33&userRegion=1.

What is the TDES as it relates to PED security?

Visa mandates that in addition to ensuring that attended POS PED devices are approved, all POS PEDs must be enabled with TDES by July 1, 2010. TDES is a more robust encryption standard intended to greatly strengthen PIN encryption and reduce the risk of suffering a compromise from a brute force attack.

To be clear, the TDES mandate falls under the PED security umbrella but is a separate Visa requirement for merchants accepting PIN-based transactions.

Visa indicated that acquirers may be assessed fines for sponsoring any non-TDES-compliant merchants or agents as of Aug. 1, 2012. Although 2012 seems like a long way off, acquirers shouldn't ignore the July 1, 2010, mandate.

If a breach occurs as a result of a PIN compromise, the acquirer may not be insulated by Visa's liability protection program. As a result, the acquirer may be liable for penalties in accordance with Visa International Operating Regulations.

Merchants should also keep in mind that although Visa may not be proactively fining acquirers for noncompliance until August 2012, acquirers typically reserve the right (via merchant agreements) to fine their merchants at any time.

How do merchants comply with Visa's mandate concerning TDES usage?

With assistance from the acquirer or merchant bank, a merchant accepting PIN-based debit transactions must determine if a given PED is "Triple DES-capable." Many integrated PEDs - especially those deployed within the last few years - are most likely TDES-capable.

Merchants who are already using TDES-capable PIN pads can make arrangements with their acquirers or encryption and support organizations to have TDES keys "injected."

Older devices may only support single DES. If the integrated PED is not TDES-capable, a merchant must upgrade the PED terminal and then have the TDES key injected before shipment of the new device. Another option is for merchants to purchase external PIN pads with the TDES keys implemented.

Start planning now

Remember, July 2010 is just over six months away. Acquirers should take a holistic approach and consider both Visa mandates (PED approval and TDES usage) when formulating a PED security implementation strategy. Consider the following steps as part of your planning efforts:

Joan Herbig is Chief Executive Officer of ControlScan. She has more than 20 years' experience in the high-tech world and serves on the Electronic Transactions Association's Risk and Fraud committee. Contact her at jherbig@controlscan.com or 800-825-3301.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Harbortouch | USAePay | IRISCRM.COM | Humboldt Merchant Services