asterCard Worldwide has issued some fairly draconian requirements for its new POS Terminal Security, or PTS, program. But you'd be hard-pressed to find information about the program. There has been surprisingly little written about this topic in the POS trade press, and there's nothing on MasterCard's public Web site.

But, if you haven't heard about PTS, you need to take note because it will undoubtedly have a large impact on your business.

PTS Ps and Qs

PTS is a new set of requirements regarding the transmission of payment transactions via wireless POS terminals and Internet Protocol (IP)-enabled terminals.

The goal is admirable: to protect security and privacy of information transmitted from a POS terminal to an acquirer's host system. In short, MasterCard is mandating that all such transmissions be encrypted.

MasterCard's new requirements are separate from the Payment Card Industry (PCI) Data Security Standard PIN entry device (PED) security requirements, which are primarily focused on POS integrity.

PTS is primarily focused on operating system and communication libraries to ensure that devices can properly authenticate themselves to networks (and vice versa) and have adequate levels of data-encryption capabilities.

In 2005, MasterCard issued guidelines for this new set of requirements and set out three deadlines:

The first, April 1, 2006 (no fool's jokes, please), required acquirers to ensure all newly deployed wireless POS terminals and IP-enabled POS terminals be submitted for evaluation and approval under MasterCard's IP POS terminal compliance testing program.

The second, Sept. 1, 2006, required acquirers to ensure all newly installed wireless and IP-enabled POS terminals deployed on or after Sept. 1, 2006, support encryption. This includes replacement terminals.

The third, Jan. 3, 2007, requires acquirers to upgrade all wireless and IP-enabled terminals deployed before Sept. 1, 2006.

Getting hip to IP

What does that mean to you? Well, if PTS is implemented fully under that schedule, it's going to require upgrading all wireless and IP terminals installed before September 2006.

That creates tremendous opportunity for you to provide upgrade services to customers with systems that can be updated, or to replace systems that cannot be easily brought into compliance.

VeriFone was first out-of-the-gate with a full product family of wireless and countertop IP-enabled systems to meet the new PTS requirements, when the company announced in early November full product-line compliance for the Vx Solutions family. The Nurit line of payment systems is also fully compliant and in the process of completing certification.

However, there are many wireless systems on the market that do not utilize IP and Secure Sockets Layer (SSL) and will require outright replacement.

IP at the POS

VeriFone has long made the claim that bringing the speed, reliability, affordability and versatility of IP-based technologies to the POS is one of the most important technological advancements to touch the payments industry in recent years. Processors, acquirers and ISOs that were quick to embrace these solutions have gained significant market advantage to date.

IP solutions provide reduced merchant processing fees, eliminate the need and cost of additional phone lines and long distance charges, and facilitate the extension of corporate systems to the store level.

We are also rapidly approaching the point where wireless communications is a more sensible economic choice than the landline telephone option for merchants, due to pricing, flexibility and speed of installation.

IP is now a ubiquitous enabling technology that works with most local area network or wide area network technologies to efficiently move data across networks.

It has been adopted by general commerce as the standard way to communicate with private and public networks or with the Internet via an Internet service provider.

IP supports various platforms including personal computers, cell phones, cable set-top boxes and retail POS terminals. It is the key to the many advantages of "always-on" high-speed wired and wireless networks. Retailers and service providers enjoy the flexibility of choosing whatever network suits their needs and budgets.

High-speed, IP-based networks offer faster and more efficient transaction processing, lower overall communications costs, and reduced support and terminal management costs. Deployment and support are further streamlined through easy, secure access to applications over network connections.

But because IP-based and wireless communications use networks that are inherently more open and easier to access than dial phone lines, the adoption of these technologies requires greater attention to security.

Sock-it-to-me encryption

An effective wireless payment solution provides a secure payment processing environment with advanced hardware tamper detection and response, PED security approval, and 128-bit SSL encryption for IP-based transaction processing and application downloading.

VeriFone was among the first to offer IP-based POS transactions that use the industry-standard SSL encryption standard. Connecting directly to a processing host via IP communications utilizing SSL reduces the dependency on proprietary network access controllers and lowers an acquirer's total cost of ownership.

SSL creates a shared key - or "secret" - between two devices, so that only those devices can understand the information that is passed between them. This creates an end-to-end secure environment. So if someone were to intercept the transmission signal, they would be unable to "read" any information.

If you have ever purchased anything online, you've used the same encryption, which secures billions of dollars in Internet commerce today.

Encryption of payment transactions is a critical issue in today's world, where the criminal element is constantly on the move, looking for cracks in the security of the financial system. It is vital that you as an ISO/merchant level salesperson be aware of fast-moving card Association requirements.

Plugging the liability flow

As we all know, when it comes to financial liability in the payments world, the water flows downhill. Ultimately it is your merchant customers who will end up footing the bill for noncompliance and breaches.

Regardless of whether MasterCard loosens its strict deadlines or moderates implementation in some manner to soften the impact, the march to stricter security requirements is unstoppable. The more you do to stay on top of changing requirements, the better able you'll be to keep your merchants in compliance and preserve lasting customer relationships.

Bulent Ozayaz is VeriFone Vice President of Marketing for North America. He can be reached at bulent_ozayaz@verifone.com