ATM&Debit News
The payments industry has established regulations aimed at boosting security at point of sale terminals, especially to make it harder to steal cardholder data.
PCI PIN and PCI PED, the new Payment Card Industry regulations for PIN debit and for PIN entry devices, add more stringent security requirements to Visa U.S.A. Inc.'s PED standards, which have been in place since January 2004, according to Paul Rasori, the vice president of global product marketing for VeriFone Inc. of San Jose.
The revised standards also include more rigorous testing of terminals to ensure they can withstand attacks.
Acquirers will be able to purchase and deploy Visa terminals that comply with the old standards until Dec. 31; all devices purchased and deployed starting next year must comply with the new standards.
Visa, MasterCard Inc., and JCB Co. Ltd., Japan's largest credit card issuer and processor, worked together to develop the PCI PED requirements but will soon turn over responsibility to the PCI Security Standards Council, which is made up of members from Visa, MasterCard, JCB, American Express Co. and Discover Financial Services LLC, said Bob Russo, the general manager of the Wakefield, Mass., council.
Soon it will manage both the PCI PED and the data security standard that covers other card industry issues.
Terminal makers have been preparing for the deadline by updating their products and introducing PCI PED-compliant, models.
PCI PED includes enhanced security measures covering terminals' physical and functional characteristics, said Grant Drummond, the director of marketing communications at the French payment terminal maker Ingenico Group.
However, Russ Dhooge, the vice president for unattended payment solutions at Hypercom Corp., said that the standards don't include any engineering guidance for how to implement these requirements; manufacturers must develop their own methods to ensure their terminals comply with the standards.
Vendors must submit their devices for PCI PED testing. In the past labs "took vendors' word that something would withstand an attack; now they test it by attacking it," Mr. Rasori said. The devices must be able to deter reasonable levels of attack and prevent the release of confidential information.
"The movement from nonapproved devices to Visa PED is a significant jump in protection," Mr. Rasori said. Moving to the new standards "is another significant jump."
Bruce Cundiff, a senior analyst with Javelin Strategy and Research of Pleasanton, Calif., said that even though security standards are increasing, merchants shouldn't be lulled into feeling safe. "PCI compliance is necessary, but there is always something else the merchant has to do to protect terminals from attacks," such as physical monitoring.
Criminals always will try new tactics, he said.
According to Mr. Rasori, there are three types of terminals available now: nonapproved systems, which do not meet any regulations and must be phased out by 2010; pre-PCI, which, according to Visa and MasterCard requirements, cannot be sold or deployed after Dec. 31; and PCI PED, the only ones that can be sold and deployed after Jan. 1.
Merchant acquirers who purchase and deploy pre-PCI devices after the Dec. 31 deadline will not have liability protection from PIN breaches, and they can be held accountable for any compromised data.
Pre-PCI devices deployed before Dec. 31 will be grandfathered in, Mr. Drummond said.
Terminal makers are preparing for the Dec. 31 deadline by updating product lines and monitoring pre-PCI inventory, he said. "We've been judiciously managing the inventory [of pre-PCI products] and expect to be close to depletion for the end of the year."
Mr. Rasori said that the process of updating terminal designs has been lengthy and expensive for some manufacturers. "The change from Visa PED to PCI PED is huge," and a lot of time and money went into re-engineering VeriFone's products to meet the new regulations.
According to Mr. Russo, the specifications for the new standards will be reassessed every three years, or as needed, and will be updated if necessary.
Mr. Rasori says the next version of the PCI requirements, PCI 2.0, likely will be announced next year. That version has been out for review so vendors can prepare for compliance, he said.
Mr. Cundiff said the ongoing challenge for the council is to balance heightened security regulations with a viable certification process for terminal manufacturers.
Some manufacturers say that updating regulations can shorten products' life spans.
"Every time a new security level is entered, it deletes an old one. Eventually all old product needs to come out of the field," Mr. Dhooge said.
Mr. Drummond said, "Realistically, we're looking at four to five years for each product, depending on the regulations."
However, Mr. Russo said that once a product is approved, it will not need updating for six years, even if regulations change, so manufacturers will not need to update products too often.
