Payment Security at the Pump

PCI PED Requirements

• Cryptographic control of prompting
• Prevention of PIN monitoring
• Deterrence of visual observation of PIN entry
• Logical software security against tampering
• Authentication of software applications
• No unnecessary storage of sensitive data
• DUKPT keys or fixed key security
• Encryption & key management requirements
• Credit card reader security
• Manufacturing security & process requirements
• Shipping security & process requirements

PCI DSS Requirements

• Install and maintain a firewall configuration to protect cardholder data
• Do not use vendor-supplied defaults for system passwords and other security parameters
• Do not use vendor-supplied defaults for system passwords and other security parameters
• Encrypt transmission of cardholder data across open, public networks
• Use and regularly update anti-virus software
• Develop and maintain secure systems and applications
• Restrict access to cardholder data by business need-to-know
• Assign a unique ID to each person with computer access
• Restrict physical access to cardholder data
• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes
• Maintain a policy that addresses information security

PCI PED Dates to Remember

• September 30, 2004 – Manufacturers can not sell pre-PED products after this date
• December 31, 2007 – Manufacturers can not sell VISA PED products anymore
• January 1, 2008 – Retailers can only install PCI PED approved products
• June 30, 2010 – Pre-PED products must be removed from service
• July 1, 2010 - All existing fuel dispensers need to support the Triple Data Encryption Standard (TDES) which is required for PCI certification and mandatory in all automated fuel dispensers

PABP Dates to Remember

• January 1, 2008 - Merchants cannot use payment applications identified by Visa as vulnerable.
• July 1, 2008 - VisaNet processors and agents cannot grant access to their network to new payment applications that are not PA DSS certified.
• October 1, 2008 - Newly boarded level 3 or 4 merchants must prove their PCI compliance or use PA DSS-adherent payment applications.
• October 1, 2009 - Payment applications identified by Visa as vulnerable will be decommissioned from the Visa network.
• July 1, 2010 - Merchants must use PA DSS-adherent applications to accept Visa transactions.

Payment Security Standards and Best Practices

• Install PED or PCI PED approved payment terminals
• Implement PIN pad security best practices
• Purchase PABP (Payment Application Best Practices) applications
• Implement Payment Card Industry Data Security Standards (PCI DSS) requirements
• Achieve compliance with each card association’s security program
• Develop a payment system industry best practices solution
• Prepare a security compromise response plan

VeriFone PIN Pad Security Best Practices

• Weekly physical terminal inspection
• Weekly verification of electronic and external serial numbers
• Develop a process to monitor devices that consistently do not work properly
• Securely store spare terminals
• Daily and shift change terminal inventory
• Repair technician ID verification and store visit log
• Review the installation of your PIN pads
• Implement POS software tracking of terminals
• Change default passwords
• Obtain terminals from authorized sources
• Have terminals repaired at manufacturer’s authorized repair centers
• Develop a response plan

Payment Security at the Pump - VeriShield DSS

VeriShield Protect — New technology now provides non-PIN payment cards with encryption capabilities to shield retailers from assaults on card holder data.

Storage and handling of credit card data by retailers represents a constant threat of fraud and identity theft, creating tremendous risk of financial and reputation losses. Card association requirements for storage of card information are at odds with retailer concerns about potential liability from security breaches, creating tremendous tension. The NRF recently complained to the PCI Council over card data storage requirements under PCI, noting that “it is unlikely PCI will ever be able to keep pace with the continually-evolving sophistication of the professional hacker, or anticipate every possible variation of future attacks.”

VeriFone’s VeriShield Protect is a turn-key solution to provide non-PIN card account information with the same level of security afforded PIN entry devices. This solution is available exclusively from VeriFone and is currently enabled across the MX800 Series of payment devices.