GS Logo
The Green Sheet, Inc

Please Log in

A Thing

Send an Email to:


Don't Be Bashful About Security at the POS

By Rob Regan

Many people are complacent about letting older POS terminals and PIN Entry Devices (PEDs) live out long, useful lives. Thanks to a regulation that took effect Jan. 1, 2004, new POS PEDs had to be evaluated by a Visa-recognized laboratory for approval by Visa. MasterCard had its own evaluation program in place, known as the Compliance Assessment and Security Testing Program (CAST).

However, older POS equipment already installed does not have to be upgraded to meet PED standards for Visa or MasterCard until July 1, 2010.

(Editor's Note: As of July 15, 2004, Visa U.S.A. and MasterCard International aligned their PED security requirements, so that manufacturers must meet only one set of standards. The Associations agreed to a standard methodology for equipment testing and approval, known as the Payment Card Industry [PCI] alignment initiative. PCI allows acquirers to retain their protection from liability of PIN compromises with both Visa and MasterCard.

Laboratories must be ready to evaluate PEDs according to the new standards no later than Oct. 1, 2004; after that date, the labs will only evaluate PEDs to meet PCI requirements. Acquirers must deploy PEDs that have passed a laboratory evaluation and are approved by the central approval center.

For further information, visit the following Web site: http://international.visa.com/fb/vendors/pin/main.jsp)

As security becomes an ever increasing concern among consumers, and as organized criminals shift their focus away from international markets where EMV-standardized smart cards have taken hold, there is opportunity for ISOs/MLSs to help merchants understand the urgency to migrate to newer, more secure POS equipment.

Since it's easy for many merchants to figure if their current equipment works, why should they replace it? That's where the top ISOs/MLSs can step in, educating merchants about a number of significant reasons they should move more aggressively to replace older PEDs.

It seems that every week you can pick up a big city newspaper and find a story about the latest effort to hack Microsoft's Internet Explorer; "phishers" looking for consumer financial account numbers; or the misery of people who had their identities stolen by crooks who end up destroying their credit rating. Fraud in the high-tech age is big news, and when it reaches into the consumer's pocketbook and is associated with a particular merchant, it creates indelible impressions that can take years to erase.

Whether we're dealing with neighborhood "moms-and-pops" or a national big box chain, the biggest asset of any merchant is the goodwill of its customers. For the little guy, it can mean the difference between somebody buying milk at his corner store or the next one up the street. For the big guy, it can be a huge factor in whether the corporate "brand" is highly valued or disparaged.

You should be aware of the latest updates on security and the latest threats to POS equipment and be able to explain them all knowledgeably. Merchants must understand the potential goodwill liability they might face if they continue to use equipment that has been compromised.

Card skimming is one of the most common types of fraud. Skimming involves making a copy of a card's mag-stripe data and using that "skimmed" data to create a bogus card. Crooks then charge hundreds or thousands of dollars to the cardholder's account before he or she receives the next monthly statement. One of the most common locations for card skimming is restaurants, where dishonest servers use pocket devices to read and capture the card data before returning it to the cardholder.

Restaurants can go a long way toward making their customers feel more secure by using hand-held POS devices with a WiFi Internet connection. The entire card payment transaction takes place while the server is standing at the table in the customer's presence. This practice, which is already common in many international markets, keeps the card in the consumer's sight and possession at all times, and frees the restaurateur from the prospect of employees committing fraud.

Another primary factor for moving early to replace installed equipment is to ensure that merchants are ready for future mandates to implement Triple Data Encryption Standard (3DES). In fact, by 2010, the card Associations have mandated that all PEDs must incorporate 3DES encryption. But it is not a stretch to imagine that any major single event or series of breaches involving less protected equipment will result in requirements for speedier retrofitting of older equipment.

Taking advantage of the computing power that now exists on affordable PC workstations, the criminals have designed programs that automatically try for hours or days at a time to discover PIN combinations or security keys used to protect critical data. The risk of losses is substantial (in the trillions of dollars) and growing larger each year.

With that much money being processed at the POS and switched across payment networks, it has attracted the interest of some of very savvy criminals, all focused on finding any weakness that would make it possible to intercept some of those dollars. The 3DES algorithm increases the difficulty of breaking the cryptographic keys by extending the number of DES operations and the number of keys used.

There have already been a number of instances where older PIN pads have been compromised with tapping devices that are designed to capture account and PIN information. These attacks often involve "insider" cooperation, with the criminals paying a clerk to turn a blind eye to the changes to their hardware.

This type of fraud is extremely difficult for merchants to prevent if they aren't onsite all day. It's often devastating for merchants to be associated with this type of criminal activity; it can result in the looting of checking and savings accounts. Fortunately, a simple and inexpensive upgrade to the most current and secure PEDs can make it virtually impossible for criminals to modify the devices and commit fraud.

So the next time you see an old PIN pad or POS terminal on a merchant's counter, instead of shying away from the equipment sale, use your knowledge of the standards and security issues to be a truly consultative sales professional. You will increase your direct earnings and earn the gratitude of a merchant who will rest easier about the possibility of fraud being committed in and against their business.

Robert W. (Rob) Regan currently serves as VeriFone's Director of Product Strategy, Global Financial Channels, reporting to the Vice President of Marketing. He is responsible for leading VeriFone's core product solution strategy, and managing VeriFone's relationships with card issuing associations. You can reach him at rob_regan@verifone.com.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
Back Next Index © 2004, The Green Sheet, Inc.