IMGCAP(1)]
This article appears in the July 16, 2009, edition of ISO&Agent Weekly.
MasterCard Worldwide is calling for an immediate halt to remote updating of point-of-sale terminals that do not comply with the Payment Card Industry Security Standards Council's requirement for PIN-entry devices, according to a recent security bulletin issued by the card brand.
Terminal owners may continue to upgrade devices that comply with the PCI PIN-entry device standard via the remote key-injection process, a method often used to add triple digital encryption, known as Triple DES, to payment devices. They can update noncompliant devices capable of supporting the Triple DES standard only at a secure facility.
"In the security bulletin, MasterCard provided guidance stating that the most-secure option to upgrade the terminals is to follow PCI PIN-security requirements and have the upgrade performed at a key-injection facility," a MasterCard spokesperson said in a statement to ISO&Agent Weekly. "However, our customers and vendors can use remote key-injection services to upgrade the terminals if those services meet all aspects of the PCI PIN-security requirements."
The June 15 bulletin defines how to handle devices that predate adoption of the PCI standards, including migrating them to Triple DES, the spokesperson said.
"As we would like Triple DES to be implemented on all terminals, including pre-PCI ones, we have published this bulletin to define how that can be done with a pre-PCI device without having to go through the full PCI evaluation," said the spokesperson.
At least one POS terminal maker that offers remote key-injection services is content with the bulletin. Hypercom Corp. says it has "no issues with the MasterCard bulletin."
Hypercom has one terminal, the L4100 used at U.S. multilane merchants, that can support remote key injection, but it predates PCI adoption, according to the Scottsdale, Ariz.-based company.
Hypercom officials hope to talk to MasterCard about a compromise for its L4100 device, which the vendor believes meets the requirement for secure remote-key injection.
ISO Involvement
Remote terminal updating may appear to be a desired service for ISOs to offer their merchants, but that may not be the case for many.
Scott Rutledge, president and CEO of The Phoenix Group, an O'Fallon, Mo.-based point-of-sale equipment distributor, speculates because there is a lack of common method to protect POS terminals, ISOs shy away from remote-terminal management services.
"When you look at remote encryption, it's great and it works, but in practice is it practical?" Rutledge says.
It may not be practical because putting a password onto a POS terminal may seem too complex, though the Phoenix Group and other POS-equipment distributors offer the ability to lock in terminals to a specific processor or ISO.
One possibility may be to use an electronic signature on a payment terminal. This technique stores a unique digital identifier on the device that corresponds to a master file of devices to access the device.
Electronic signature may be the preferred method for locking access to terminals, but an infrastructure that is not based on proprietary methods does not exist, Rutledge says.
Pablo Garcia, executive vice president at Swipe Payment Solutions LLC, a Los Angeles-based ISO, found an answer in devices made by Dejavoo Systems, a Great Neck, N.Y.-based POS device maker.
The terminals are capable of receiving messages, verifying updates and generating data for customized reports, Garcia tells ISO&Agent Weekly. The devices use a Linux operating system and link to a network via a high-speed Internet connection.
"Full integration is the key," Garcia says. "The processor and terminal must work as one, and the reporting and features must match."
As the convenience and ability to create detailed transaction reporting grows in importance with the merchant, price "becomes a smaller and smaller issue," Garcia says.
Some ISOs Unaffected
In some instances, however, an ISO simply may have no need.
Approximately 90% of merchant clients at Card Solutions International are mail, telephone order and online, which precludes the ISO from considering a remote-terminal updating service, says Jay Broder, president of the Royal Palm Beach, Fla.-based company. "We never saw any reason to get involved that way," Broder says.
Because the majority of his merchants' transactions go through an online payment gateway, the need to worry about updating a terminal is eliminated, he says.
Gateway companies maintain the security of their payment gateways.
