Thursday, December 27, 2007
On Jan. 1, 2008, manufacturers will no longer be able to sell PEDs that do not comply with the higher standards imposed by the Payment Card Industry (PCI) Security Standards Council through the PCI Data Security Standard (DSS) and the Payment Application DSS. And acquirers may no longer provide to merchants PEDs and applications that are not PCI compliant.
The stricter rules are designed to make it prohibitively expensive to tamper with or otherwise compromise PEDs, creating an extra barrier against hacking attacks on bankcard processing systems. It is expected this added protection will make security breaches, such as the one that occurred at TJX Companies Inc., difficult to accomplish.
The regulation taking effect Jan. 1 states that VisaNet processors (VNP) and other agents cannot certify new payment applications to their platforms if they are not compliant with PA DSS. Automated teller machines (ATMs) will also need to employ PCI-certified encrypting PIN pads. Any machine installed before Jan. 1, 2008, with a valid Visa PED certification will not be affected.
VeriFone stated it has been preparing for Jan. 1, 2008, for the past two years, making sure its equipment is updated with the latest in security standards. (For more information, see "Forging ahead with PCI PED," by Bulent Ozayaz, The Green Sheet, May 14, 2007, issue 07:05:01)
Parties who are identified as noncompliant will face penalties. Visa Inc. will fine offenders $5,000 to $25,000. MasterCard Worldwide has established at set fine of $10,000 for each offense.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
