Visa PED Approval and 3DES Capability By Michael W. English
isa established the Visa PIN Entry Device (PED) Approval Program to protect the growing number of personal identification number (PIN)-based transactions and to prepare for the widespread issuance of chip-based cards. The following information provides insight into the Visa PED program requirements for a PIN entry device being used in the United States.
Does the regulation affect all payment terminals?
The Visa PED requirement applies to devices that accept PIN entry for online debit transactions. It also applies to attached devices or devices that accept smart cards for payment acceptance and use PIN entry to validate the cardholder.
Examples of Visa PED requirements:
- The device must prevent undetected modifications that would allow a hacker to place anything into the device that would read PINs as they are entered.
- If the device has tamper detection features, it must be impossible to disable them even if a hacker drills up to four holes in the casing. Once any or all of the switches are triggered, the PIN pad must erase the PIN pad's keys.
- It must be impossible to determine which keys are pressed by detecting differences in sound or even electrical fields.
- Any PIN pad that uses MasterSession must limit the maximum frequency of PIN entries in order to make infeasible attempts to find a PIN through exhaustively trying all PIN combinations.
- The PIN pad must not allow unauthorized access entry to a "clear prompt sequence." (For example, the ability to change a prompt for a zip code to a request for PIN.)
- The PIN pad must not allow its program code to be altered.
What is meant by "the PIN in is the clear?"
Once the PIN is entered on a PIN entry device, the PIN must immediately be encrypted by the device and remain encrypted until it arrives at the Host Security Module-usually found at the debit processor's secure data center-for validation. If the PIN travels through the network or within the PIN entry device unencrypted, it is said to be "in the clear" and thus potentially accessible for unauthorized viewing.
DES and 3DES
An IBM team developed the data encryption standard (DES) in 1974; it was adopted as a national standard in 1977. Triple DES, or 3DES, is a variation of this standard and is 72 quadrillion times more secure than DES when used properly. 3DES is simply another mode of DES. The procedure for encryption is exactly the same as with DES, but it is repeated three times-hence the name 3DES. The data are encrypted with the first key, decrypted with the second key and finally encrypted again with the third key.
This process creates an encrypted PIN that is unbreakable with today's code-breaking techniques and available computing power, while still being compatible with DES. Visa requires that all new PIN entry devices be 3DES-capable and Visa PED-approved.
What risk does the merchant assume by not complying with the Visa PED program?
Neither Visa nor MasterCard has contracts for authorization and processing services with retailers. All agreements regarding authorization and processing services are written between the retailer and the acquiring institution.
Liability for PIN entry fraud is passed from the card associations to the acquiring financial institution. The acquiring financial institution has the option of passing the losses on to the merchant. If the merchant has prior knowledge that the PIN pads were compromised or might easily be compromised, and continued using them, the merchant may bear liability for the fraudulent charges.
PED compliance dates
Per Visa, terminal providers may only sell and distribute Visa PED-approved PIN entry devices as of Jan. 1, 2004. Those distributors, acquirers and sales agents that have inventory of non PED-approved devices on Jan. 1, 2004 are able to ship, install and use those devices with no penalty.
After Jan. 1, 2010, all PIN entry devices installed within the United States must be PED-compliant. 3DES capability is included in the evaluation that Visa's sanctioned testing facility performs for PED compliance. For more information about Visa PED, compliance dates and approved products, visit http://international.visa.com/fb/vendors/pin/main.jsp
Visa PED and 3DES support
Ingenico and the vast majority of terminal providers support the initiatives for increased PIN entry security being instituted by Visa and MasterCard. Terminal providers offer several products listed on the Visa approved Web site. All Ingenico PIN-entry products from this point forward will be Visa PED-approved. We believe that is important to protect our customers and the consumers that shop in your stores.
Ingenico's PED security has always led the market. The majority of our PIN pads are certified to work in the Canadian marketplace under the security guidelines established by INTERAC and are also used in Northern Europe where security regulations are among the most stringent in the world.
Michael W. English is Ingenico's Director of Marketing and Communications. You can e-mail him at menglish@ingenico-us.com
|