Information about http://www.verifone.com/about-us/PDF/CARTOD_VeriFone_Article_May_08.pdf
FEATURE Taking a stand on …
Tags: authentication, card transaction, certifications, deterrents, key management, observa, payment acceptance, payment security, pci, pin entry, privacy shield, secure card, smart card reader, software applications, taking a stand, tion,Pages: 2
Language: english
Created: Wed May 28 15:29:58 2008
Display cached document
Page 1
Page 2
FEATURE
Taking a stand on
The requirements cover a variety of areas,
including tamper protection, cryptographic
control of prompting, PIN monitoring preven-
tion, deterrents to prevent the visual observa-
payment security tion of PIN entry, authentication of software
applications, smart card reader security, as well
as encryption and key management require-
ments. Under the latest PCI PED 2.0 certifica-
Payment acceptance systems need to meet continually evolving standards and tion standards, privacy shield requirements have
been defined to ensure cashiers, customers or
achieve rigorous certifications in order to help ensure a secure card transaction
people standing nearby cannot easily observe the
environment. But ever-stricter standards also create an opportunity to provide
PIN during entry by the cardholder, deterring
greater value, increased reliability and better performance.
attempts to discover PINs by `shoulder-surfing'.
Creating payment systems for use in consumer PED suppliers that is designed to prevent or detect Each device, including those used in unattend-
environments requires building a protected this type of tampering and to provide tighter ed environments, must be equipped with proper
world in which cardholders, merchants and security for sensitive consumer and card informa- shielding protection. In addition, a tamper resist-
banks can perform transactions reliably, securely, tion. The newer PCI PED requirements includes ant security module (TRSM) automatically deletes
and with peace of mind. This mutual network of a standardised testing process that combines one encryption keys and instantly puts the device out
trust requires everyone in the payment chain to set of standards for each of the organisations that of service when a tampering effort is detected.
follow good practices: cardholders must take care developed PED requirements Visa, MasterCard The new security standards are designed to
of their cards and PINs, retailers must monitor and Discover Financial Services, American Express, secure PIN-based transactions globally, and apply
staff and effectively manage their systems, and and JCB. In conjunction with PCI security to all devices that accept PIN entry. For PED
finally, anyone storing sensitive customer data requirements, which are now under the auspices manufacturers, security testing will now depend
electronically must properly safeguard that data. of the PCI Security Standards Council, PED on a single set of requirements, helping to ensure
Electronic payment acceptance systems must manufacturers also need to adhere to regional and cardholder security and providing opportunities
comply with a raft of national and international country-specific security requirements. for faster development and deployment.
standards and safety requirements (for example, Under the PCI PED certification process, man-
the CE mark), which can relate to various aspects ufacturers must deliver a fully functional device
of the hardware including modems, wireless Path to a global standard with test software to the relevant security auditors,
facilities and power supplies. Unique to the pay- Prior to 2004, minimal standards governed the including detailed design documents. Testing in
ments world, however, is the need for security. manufacture of PIN entry devices. Protection the laboratory can take several months, depending
From a hardware perspective, it is these physical of master keys, key encryption schemes and on the complexity of the system. In addition to
and logical security requirements that are now the proper software operation of devices were the PCI PED certification process, manufacturers
being mandated more stringently than ever. usually the chief requirements, while individual can simultaneously undertake country or region
Payment processing requires higher standards suppliers were free to validate software stand- specific standards testing for their devices.
of security than many other business transactions. ards and tamper prevention and detection. After the testing, during which every attempt
The consequences of security failure can be costly The introduction of EMV and increasing will be made to compromise and breach the
and may include a forensic incident investigation numbers of PIN-based cards led to a growing payment device, the laboratory report goes to
of any breach, a card association fine, government recognition that PIN pads in retail outlets could the relevant PCI Card Associations for approval
sanctions and, most damaging, the loss of consum- potentially become the `weakest link' in the pay- and confirmation of the certification award.
er confidence and an injured business reputation. ments chain. In January 2004, Visa required
PED testing by an independent laboratory to
ensure PEDs maintain a consistent level of Achieving compliance
Evaluating the security physical and logical security. Visa required its The PCI Security Standards Council has issued a
End-to-end security across the payments chain is acquiring members to deploy only POS PED mandate relating to the phased PCI PED imple-
only as strong as its weakest link. In this context models that had passed a Visa-sanctioned evalu- mentation programme. Under this guidance, all
PIN pad security is no longer an abstract con- ation that determined a device's compliance with devices previously approved and designated as
cern, as recent headlines about payment security Visa's PED security requirements. These devices compliant with existing PCI PED requirements
breaches and PIN pad tampering demonstrate. are generally categorized as Visa PED-approved. will automatically be accepted into the new
The Payment Card Industry PIN Entry In 2004, Visa and MasterCard Worldwide programme until their current approvals expire.
Device (PCI PED) security requirements are and JCB aligned their separate specifications From 1 January 2008, manufacturers have been
the latest set of security standards for online and under the Payment Card Industry PED Security required to ensure that any newly introduced
offline PIN entry devices, including magnetic Requirements banner PCI PED.The PCI PED device is PCI PED certified.
stripe and smart card PIN pads as well as termi- security requirements cover all aspects of PED As of 1 January 2008, Visa PED-approved
nals with built-in PIN pads. development, including its physical and logical PIN entry devices can no longer be sold,
The tampering incidents have involved older, characteristics, as well as how the PED is produced, although retailers may still deploy any device
less secure devices, known as pre-PED. Criminals controlled, transported, stored and used throughout purchased before this date. At the present time,
have either substituted a device containing an elec- its life cycle. It requires better protection of sensitive no `sunset' date for the withdrawal of these
tronic `bug', or have directly inserted these bugs data storage and use, improved defences against devices from service has been defined.
on systems in place to capture customer card data keypad tapping, and stricter defences against display Acquirers are mandated to ensure that currently
and PINs. PCI PED is an updated requirement for tampering, alongside stricter key management. installed, non-approved PEDs (those that don't
10
Card Technology Today May 2008
FEATURE
meet either Visa PED or PCI PED requirements) the payment system is equally critical to main-
must be removed from service by June 2010. taining a secure acceptance environment.
Failure to comply with this mandate means liability Payment Application Best Practices (PABP) PIN pad best practices
protection will be removed. As a consequence, in are a set of requirements devised by Visa that Seven actions can help merchants improve
the event of a PIN compromise, card reissue costs apply to software vendors who develop point-of- the security of their systems:
are likely to be passed to the retailer and penalties sale payment applications that store, process, or
will be imposed by the card association, which may transmit cardholder data as a part of payment card 1. Immediately perform a visual inspection
also revoke a merchant's service agreement. authorisation or settlement. The requirements for on every terminal. If anything appears out
PABP are based upon PCI DSS and the PCI DSS of the ordinary, have the unit checked by
Security Audit Procedures.
The PCI PIN Security Within the PABP framework, all payment
an authorised repair facility.
2. Have an inspector verify that the serial
In addition to security requirements relating to the applications must be certified by an independent, number printed on the bottom of the
payment terminal itself, the PIN Security Program, Visa-approved auditor in order to achieve PABP terminal matches the internally stored
which is designed to protect cardholder PINs dur- validation, which ensures that payment applications serial number.
ing message processing, requires compliant equip- do not retain full magnetic stripe or CVV2 data 3. Ensure all repair technicians log in and
ment for PIN entry, specified cryptography to pro- (both prohibited under PCI DSS). Ensuring that verify their identity before they examine
tect PIN during transmission, and documentation all payment software is PABP-certified is a key step any equipment.
and methods that ensure key secrecy. to achieving full PCI DSS compliance for retailers. 4. Check PED installation. Devices should
The program also specifies acceptable cryp- Since the software infrastructure within a be mounted on the counter. Unplugging
tography and mandates for Triple DES (Data retailer organisation handles all of the retailers' cables should require more than turning
Encryption Standard) usage. To underpin device business not just payment there needs to be the unit over. Consider locking stands.
security, from 1 January 2004 all newly deployed a clear understanding and appreciation of related 5. Review the POS-to-PED interface to
POS PIN entry devices were required to support procedures by all parties involved, including how determine if it tracks or identifies the serial
Triple DES (single DES has been fully retired any security solutions need to work within whole number of the attached PED.
by ISO and ANSI). As of 31 December 2007, networks. By working closely with technology 6. Only purchase PEDs from manufacturers
all VisaNET/Interlink endpoint Issuer Working experts, retailers should be able to define a seam- or manufacturers' authorised partners.
Keys (IWKs) and Acquirer Working Keys (AWKs) less PCI DSS compliance strategy that delivers the Unauthorised resellers, such as may be
must use Triple DES, and by 1 July 2010, all required security without compromising the busi- found on online auction sites, could be
transactions must be encrypted in Triple DES ness functions of its non-payment software and selling compromised devices.
from point-of-origin to the issuer. Note: PINs can systems architecture. 7. Have PEDs repaired at their respective
never be stored. manufacturer-authorised repair centres
Navigating standards that have completed a TG3 Key Injection
PCI DSS Alongside PCI PED, PCI DSS and PABP there's ,
audit.
There are several ways that criminals can collect a growing alphabet soup of standards to negoti- Ideally, retailers need to identify the steps
customer data for later fraudulent use. Fraudsters ate, including Visa's Cardholder Information they need to take in the event of an incident.
may retrieve a tampered device once it has collect- Security Program (CISP), MasterCard's Site Data These include ensuring they understand how
ed enough data, or interfere with the transmission Protection (SDP), Discover Information Security to isolate their payments system to prevent
of information in real-time over a wireless con- and Compliance (DISC) and American Express' future sensitive information loss. Designating
nection. Finally data can be transmitted through Data Security Operating Policy (DSOP). one individual to lead this effort is also
the merchant's own computer networks to remote In the future, security requirements can only advised.
computers. Because of this, new PCI standards become more multi-layered and rigorous. The
have evolved in response to the threat posed to introduction of additional layers of security and
both the terminal and the retailer's entire system. authentication at the point-of-payment such as to avoid the fines, losses and damage to reputa-
The PCI Data Security Standard (PCI DSS) biometric methods will not eradicate the need tion that could result from any security breach.
was introduced in 2005 and supersedes the to implement robust standards and adopt compre- Payment solution providers who have a proactive
various standards used by card schemes for hensive security best practices at the point of sale. security strategy well in advance of compli-
the secure storage of accounts and transaction For merchants, keeping up with the very latest ance deadlines can deliver PCI PED-approved
data. It applies to all processors and mer- developments in security mandates and ensuring systems that offer greater value and lower cost
chants, and effectively codifies best practice the ongoing compliance of their payment systems of ownership, increased reliability and better
while instituting a mechanism for evaluat- can seem a complex and daunting task. Retailers performance. Ensuring a secure, compliant card
ing, testing and monitoring compliance. will increasingly look to experts to help simplify transaction environment doesn't need to stand
Administered by the PCI Security Standards compliance, and advise how best to meet those in the way of innovation and new ideas, but can
Council, PCI DSS establishes a single standard requirements while incurring minimal cost and actually be a powerful platform for delivering an
of due care for data security across the pay- effort. In this way, payment solution providers enhanced payment experience for cardholders and
ment card industry. have a key role to play in delivering transparent promoting greater overall consumer confidence.
security to merchants and customers, so that retail-
ers can stay focused on their core competence . This feature was provided by Dave Faoro, chief security
Payment apps: PABP With certifications now starting to stabilise, officer, VeriFone. He can be contacted at Tel: +1 916
Ensuring confidence in the payment applica- now is the time for banks and retailers to develop 630 0550, email: dave_faoro@verifone.com,
tion software that runs on and interacts with a compliance upgrade plan with trusted suppliers Web: www.verifone.com
11
May 2008 Card Technology Today