Worldwide Locations
Select a Location Worldwide

Payment Security Today

Look no further than recent headlines about payment security breaches and PIN pad tampering incidents involving merchants of all sizes. Sophisticated criminal organizations are targeting retailers and obtaining compromised account data with more regularity. Whether it’s fair or not, the ‘fault’ of these attacks is increasingly being placed squarely on the shoulders of merchants.

Many consumer and legislative groups are clamoring to place the cost burden fully on merchants as well. Today, being compliant with the current security standards may not be enough. Merchants need to adopt a comprehensive Payment Security Best Practices Program. The time to act is now - before you are compromised.

Maintaining consumer card holder security has quickly migrated from being an international concern to a huge financial liability for retailers. Retailers across North America are taking steps to lower their risk by implementing credit and debit card terminals that are PCI PED approved devices, the latest security standards established by the Payment Card Industry. January 1, 2008 may not have the widespread impact that the Y2K did, but for retailers, it may be almost as significant. As of January 1, 2008, retailers may not purchase non-PCI PED approvedsystems. The card associations have mandated that retailers who deploy non-PCI PED approved terminals purchased after January 1, 2008, will be liable in the event of a card information compromise that can be traced to non-PCI PED approved systems. This liability would include consumer card losses, costs incurred by card issuers for re-issuing compromised cards, card association fines and potentially civil penalties, not to mention the potential loss of customer goodwill and business from the negative publicity.

Requirements
Divider
Important Dates
Divider
Best Practices
Divider
Partners

PCI PED Requirements

  • Cryptographic control of prompting
  • Prevention of PIN monitoring
  • Deterrence of visual observation of PIN entry
  • Logical software security against tampering
  • Authentication of software applications
  • No unnecessary storage of sensitive data
  • DUKPT keys or fixed key security
  • Encryption and key management requirements
  • Credit card reader security
  • Manufacturing security and process requirements
  • Shipping security and process requirements

PCI DSS Requirements

  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters
  • Encrypt transmission of cardholder data across open, public networks
  • Use and regularly update anti-virus software
  • Develop and maintain secure systems and applications
  • Restrict access to cardholder data by business need-to-know
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder data
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
  • Maintain a policy that addresses information security

PCI PED Dates to Remember

  • September 30, 2004 – Manufacturers cannot sell pre-PED products after this date
  • December 31, 2007 – Manufacturers cannot sell VISA PED products anymore
  • January 1, 2008 – Retailers can only install PCI PED approved products
  • June 30, 2010 – Pre-PED products must be removed from service

PABP Dates to Remember

  • January 1, 2008 - Merchants cannot use payment applications identified by Visa as vulnerable
  • July 1, 2008 - VisaNet processors and agents cannot grant access to their network to new payment applications that are not PA DSS certified
  • October 1, 2008 - Newly boarded level 3 or 4 merchants must prove their PCI compliance or use PA DSS-adherent payment applications
  • October 1, 2009 - Payment applications identified by Visa as vulnerable will be decommissioned from the Visa network
  • July 1, 2010 - Merchants must use PA DSS-adherent applications to accept Visa transactions

Payment Security Standards and Best Practices

  • Install PED or PCI PED approved payment devices
  • Implement PIN pad security best practices
  • Purchase only PABP (Payment Application Best Practices) Validated applications
  • Implement Payment Card Industry Data Security Standards (PCI DSS) requirements
  • Achieve compliance with each card association’s security program
  • Develop a payment system industry best practices solution
  • Prepare a security compromise response plan

VeriFone PIN Pad Security Best Practices

  • Weekly physical terminal inspection
  • Weekly verification of electronic and external serial numbers
  • Develop a process to monitor devices that consistently do not work properly
  • Securely store spare terminals
  • Daily and shift change terminal inventory
  • Repair technician ID verification and store visit log
  • Review the installation of your PIN pads
  • Implement POS software tracking of terminals
  • Change default passwords
  • Obtain terminals from authorized sources
  • Have terminals repaired at manufacturer’s authorized repair centers
  • Develop a response plan

VeriFone has formed strategic partnerships with ArcSight and Trustwave to enable our retail and petroleum markets to proactively protect cardholder data against breaches, insider threats and non-compliance risk across the Payment Card Industry Data Security Standards (PCI DSS) rules and regulations. VeriFone’s salesforce will work closely with both ArcSight and Trustwave to introduce merchants from the VeriFone customer base that can directly benefit from their PCI protection services.

ArcSight

The ArcSight PCI Protection Suite is a comprehensive, scalable and cost-effective solution for protecting cardholder data and monitoring ongoing PCI compliance. Level 1 and 2 merchants across the retail, transportation, telecommunications, medical, and financial markets have already selected the ArcSight PCI Protection Suite to secure their customers against the growing global threats to cardholder identity and data privacy. Level 1 and Level 2 merchants that are in interested in the solution can contact either their VeriFone or ArcSight local representative.

Trustwave

Trustwave’s Trustkeeper service is a web based portal to assist retailers in becoming and remaining PCI compliant. The portal includes simplified PCI Data Security Standard self-Assessment Questionnaire’s as well as monthly network vulnerability scans. Trustwave also offers a complete array of payment security services including PABP certifications, PCI DSS audits and investigations. For more information contact your VeriFone account representative.

GET MORE

VeriFone is committed to helping provide the information you need regarding secure PCI PED approved systems.

If you have any questions on payment security, please email us.