Tuesday, January 13, 2009

PIN Debit and PCI Compliance

Howard Riell, in an article written for Convenience Store Decisions, writes about PCI compliance.  As you'll undoubtedly notice while reading the article, PIN entry devices, or PED's are an integral part of PCI certification. The long and the short of it is that all PED's must be certified by PCI-approved laboratories and encrypt PIN's with Triple DES.  I know how that's done with a hardware device...(we're in the midst of getting our personal swiping device tested and approved for PCI compliance) but I'm not quite sure how it would/could/should be done with a software application.  (See "Software Breach 92 Times More Likely Than Hardware")

Here's some snippets from from the CSN story, entitled: "The High Stakes Of Compliance:"

It was in September 2006 that the credit card companies formed the PCI Security Standards Council in the hopes of battling fraud. Today, all merchants who accept payment card transactions must comply with the PCI Data Security Standard or face sizable penalties.  Indeed, the passing grade for PCI is 100%, which means failing even one of the criteria will bring consequences...

Editor's Note:  So, it's obvious that these Triple DES mandates are an integral element of PCI compliance and in 5+ months TDES is required on "all debit transactions." Since Jan. 1, 2008, all newly manufactured debit card processing terminals must incorporate PIN entry devices that have been certified by PCI approved laboratories

  • By January 2009, newly installed fuel pumps that accept debit cards must feature PCI-compliant encrypted PIN pads.  See "Triple DES for GAS" 
  • Manufacturers have to begin installing key pads capable of implementing a new Triple Data Encryption Standard (TDES), which requires that data be encoded several times through an encrypted PIN pad.
  • By July 1, 2009, TDES will be required for all debit transactions and by
  • June 30, 2010, all fuel dispensers will need to be able to encrypt PINs according to the TDES.
The very next day, July 1st 2010, pumps that process debit transactions must be upgraded with encrypted PIN pads, and in-store POS terminals have to be certified as PCI-compliant.  The devices must also process all debit transactions using TDES.

One of my favorite lines from the article comes from Bruce Snyder,
manager of IP retail systems for 395-store Kwik Trip based in La Crosse, Wis“ who instead, sounds like a spokesman for Gemalto.  (see: Gemalto Wants EMV in USApparently he doesn't like the implementation costs (retailers will need to replace outdated hardware) and thinks that as long as they have to get new equipment anyway, then V/MC and the banks should spend billions to implement EMV and when they're done, he'll replace Kwik Trip 'sexisting equipment with Chip and PIN readers.  Problem is, it won't be Kwik...it'll be years, if they started today.  (don't hold your breath)


"We have this silly little mag stripe that is so vulnerable and penetrable and we are building an infrastructure around it to protect the information, and a lot of people are making good money on that,” Snyder said. “With the new rulings on EPPs, if I want to continue to do debit we have to replace all of our dispenser doors and PIN pads at a huge expense to us to remain compliant. What we have to do is put in an encrypted PIN pad at the dispenser if we want to continue to do debit there.” But the new door and PIN pad will cost $1,500 per dispenser. (Ouch!  Consumers can get our SwipePIN device for merely the cost of shipping and handling, which in the face of $1500...makes for a rather compelling value proposition)

“Start doing the math on that and now you have to make a decision: can we afford to do this? And what happens if we don’t?” Snyder said. “We need to change that method of presenting ourselves for a credit transaction and make it more secure so that we don’t have to build all of this stuff around it to try to protect a very flawed method...”


Read the complete story at Convenience Store Decisions







Reblog this post [with Zemanta]

Disqus for ePayment News