The Green Sheet Online Edition
December 14, 2009 • Issue 09:12:01
PIN entry devices: Plan now for July 2010
If you are an acquirer, ISO or merchant level salesperson, you are not alone if you do not fully understand the PIN entry device (PED) security initiative, now managed under the PCI Security Standards Council's (PCI SSC) PIN Transaction Security program. Typically, it's not that merchants and those serving them don't want to comply; it's that they don't know where to start. PED requirements are made all the more intimidating by the multitude of terms and acronyms used.
Important Visa Inc. compliance dates are quickly approaching. This article is intended to provide a basic understanding of PED security requirements.
Why focus on PED security?
While credit card data continues to be a primary target for cyber thieves, it is cardholder data coupled with the debit PIN that commands top dollar on the black market today. Why?
Criminals can certainly make a decent living counterfeiting credit cards and making fraudulent purchases, but PINs equip thieves with the information they need to deplete a consumer's banking account - and cash is king.
According to the Verizon Business 2009 Data Breach Investigations Report, "The higher value commanded by PIN data has spawned a cycle of innovation in attack methodologies.
Criminals have re-engineered their processes and developed new tools - such as memory-scraping malware - to steal this valuable commodity. This has led to the successful execution of complex attack strategies previously thought to be only theoretically possible."
Furthermore, according to the RetailPayments blog, a Verizon Business webinar reported on a Russian criminal gang that offers a fee-based data encryption standard (DES)-cracking service. Ship a POS PED to the gang overnight, and they will return the DES keys within 72 hours for $250,000, or you get your money back.
Years ago, it was unimaginable that encryption schemes could be decoded in such a short time. However, with rising demand and improved technology, encryption-cracking services are emerging at a disturbing rate.
What is PCI PED security all about?
Visa's PED security requirements apply to all hardware devices that accept PIN entry for transaction processing and are designed to ensure the security of those transactions. A PED typically consists of a keypad, a screen display for user interaction, firmware, a processor and storage for PIN processing.
PEDs are designed to keep data secure by such means as preventing the device from producing a clear-text PIN. A PED that fully meets security requirements also has a number of other security features, including those that minimize the likelihood of the device being stolen or embedded with a PIN-disclosing bug.
The PED security requirements also include guidelines for device management capabilities up to the point of initial "key loading" - the act of loading the acquirer's secret encryption keys.
The full scope of device management includes the logistics and control of the device during its manufacture, encryption, delivery and storage. In aggregate, these requirements are designed to prevent unauthorized modifications to the security features of the device at any point during its lifecycle.
How has the PED security standard evolved?
The PED standard evolved alongside the Payment Card Industry (PCI) Data Security Standard (DSS). Visa got the ball rolling in 2004 when it mandated that newly purchased POS PEDs had to be Visa-approved and to support Triple DES (TDES). Subsequently, MasterCard Worldwide and JCB International Co. Ltd. joined forces with Visa to jointly administer the PED security requirements and approval procedures.
In 2007, the PCI SSC assumed responsibility as the single source of information for PED requirements, including the PCI PED equipment approval list.
What kinds of PEDs exist?
Following are the types of PEDs in use today:
- Attended POS PIN devices: The descriptor "attended" distinguishes a device as being managed by a cashier or sales clerk. Examples of where attended POS PIN devices would be deployed are a dry cleaner, deli, coffee shop or retail store.
- Unattended devices: Unattended devices are tailored for self-service situations, such as fuel dispensers (pay-at-the-pump stations), kiosks (ticketing and vending machines) and ATMs.
- Hardware security modules (HSMs): HSMs support various debit functions and are noncustomer facing.
I will focus on the mandate related to attended POS PEDs. You can learn more about PED testing requirements for unattended POS PEDs and HSMs by visiting the PCI SSC's Web site at www.pcisecuritystandards.org.
How do merchants comply with attended POS PEDmandates?
Merchants who accept PIN debit transactions must ensure they are using approved PEDs. Any "never-approved" device must be decommissioned by July 1, 2010, if it has not been upgraded to meet current standards.
To determine if a device is approved, merchants should check the device against one of two lists. Visa still maintains a list of approved PEDs. The second list, "PCI Approved PIN Entry Devices," is maintained by the PCI SSC. The device must match the model name, hardware number, firmware number and corresponding number if applicable.
For the list of PCI-approved PIN entry devices, visit www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.html. For the list of Visa-approved PIN entry devices, go to https://partnernetwork.visa.com/vpn/global/category.do?categoryId=19&documentId=33&userRegion=1.
What is the TDES as it relates to PED security?
Visa mandates that in addition to ensuring that attended POS PED devices are approved, all POS PEDs must be enabled with TDES by July 1, 2010. TDES is a more robust encryption standard intended to greatly strengthen PIN encryption and reduce the risk of suffering a compromise from a brute force attack.
To be clear, the TDES mandate falls under the PED security umbrella but is a separate Visa requirement for merchants accepting PIN-based transactions.
Visa indicated that acquirers may be assessed fines for sponsoring any non-TDES-compliant merchants or agents as of Aug. 1, 2012. Although 2012 seems like a long way off, acquirers shouldn't ignore the July 1, 2010, mandate.
If a breach occurs as a result of a PIN compromise, the acquirer may not be insulated by Visa's liability protection program. As a result, the acquirer may be liable for penalties in accordance with Visa International Operating Regulations.
Merchants should also keep in mind that although Visa may not be proactively fining acquirers for noncompliance until August 2012, acquirers typically reserve the right (via merchant agreements) to fine their merchants at any time.
How do merchants comply with Visa's mandate concerning TDES usage?
With assistance from the acquirer or merchant bank, a merchant accepting PIN-based debit transactions must determine if a given PED is "Triple DES-capable." Many integrated PEDs - especially those deployed within the last few years - are most likely TDES-capable.
Merchants who are already using TDES-capable PIN pads can make arrangements with their acquirers or encryption and support organizations to have TDES keys "injected."
Older devices may only support single DES. If the integrated PED is not TDES-capable, a merchant must upgrade the PED terminal and then have the TDES key injected before shipment of the new device. Another option is for merchants to purchase external PIN pads with the TDES keys implemented.
Start planning now
Remember, July 2010 is just over six months away. Acquirers should take a holistic approach and consider both Visa mandates (PED approval and TDES usage) when formulating a PED security implementation strategy. Consider the following steps as part of your planning efforts:
- Determine your affected population by confirming which merchants are accepting PIN-based
- Segment the population into two categories: 1. Merchants using "never approved" PEDs and 2. Merchants who are using approved PEDs but have not implemented TDES.
- Determine merchant resolution options for the various scenarios (upgrade PED, ship PED for Triple DES injection, stop accepting PIN transactions and so forth).
- Assess what it will take to facilitate your compliance initiative, and confirm the approach. Consider in-house implementation versus outsourcing. You may want to address this project concurrently as part of your PCI DSS compliance efforts.
- Create educational material for internal and external use.
- Develop a communications plan targeted to impacted merchants. Help them understand how the PED mandate(s) apply to them, why they are important, what merchants need to do, and the consequences for noncompliance.
Joan Herbig is Chief Executive Officer of ControlScan. She has more than 20 years' experience in the high-tech world and serves on the Electronic Transactions Association's Risk and Fraud committee. Contact her at firstname.lastname@example.org or 800-825-3301.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.