Wednesday, August 19, 2009

End-to-End Encryption: What’s Next?

While end to end encryption solutions like VeriShield Protect are valuable tools for retailers looking to protect their customers’ cardholder data, even more benefits are on the horizon.

The PCI Security Standards Council has engaged PricewaterhouseCoopers to conduct a study of new payment security technologies on securing cardholder data and achieving PCI DSS compliance.

The study, currently underway, is expected to recommend that if a true, secure end to end encryption scheme is implemented, many of the PCI DSS requirements would be met.

George Peabody of the Mercator Group estimates that retailers will save 80% of their on-going compliance costs and 75% of their PCI DSS audit costs by implementing a true end to end encryption solution like VeriShield Protect. In his analysis, that would translate to between $262,500 and $1,750,000 in annual savings to a retailer.

VeriShield Protect Offers Benefits Beyond End to End Encryotion of Cardholder Data

In addition to the obvious benefits of encrypting cardholder data throughout a retailer’s enterprise, VeriShield Protect can assist retailers in improving the security of their systems and achieving PCI DSS compliance in many other ways.

While the PCI DSS requirements to not require cardholder data to be encrypted across private networks, retailers are challenged to maintain compliance with PCI DSS, and protection against breaches, 24x7 across their vast geographically disperse networks. Exploiting gaps in compliance or other weaknesses in retailers’ systems, criminals have been able to install Malware on retailers’ systems to capture cardholder data in transit. In the cat and mouse game of data theft and data protection, most retailers realize now that they need to protect cardholder data at all points in their systems, including data in motion during the authorization approval process. To protect cardholder data in transit, retailers often turn to solutions other than end to end encryption, like SSL connections between devices or software-based encryption schemes within their POS systems.

This presents challenges for many retailers however. Retailers with any of the following issues may find it difficult, if not impossible to provide the additional cardholder data protection they desire to properly protect their customers from the impact of a data breach. These challenges include:

· Retailers with older POS platforms
· Retailers who have mixed POS systems across their chain
· Retailers who are planning POS system upgrades in the next year or two
· Retailers who use public broadband networks for store communications
· Retailers with franchisees that make implementation of common systems difficult

The VeriShield Protect end to end encryption solution can overcome all of these challenges with a minimum of effort or disruption to the existing POS and store systems infrastructure.

Older systems with low processing bandwidth often cannot handle the processing overhead required to support encrypting communications between both the payment terminal and POS terminal, and between the POS terminal and the store server or host computer with SSL. In addition, older payment terminals and the DOS-based POS systems that are still installed usually cannot support SSL at all. VeriShield Protect, which does the encryption in the tamper-resistant security module (TRSM) within the payment terminal, overcomes the SSL limitation of older systems. And because VeriShield Protect uses Format Preserving Encryption (FPE), no changes are required to the POS systems in order to implement it.

Another challenge retailers are often faced with is the need to support multiple POS systems across their stores – due to store or chain acquisitions, different POS systems in different brands, or multi-year POS upgrades, often tied to store remodels. The challenge is the potential cost of implementing a data in transit protection scheme multiple times across each platform. Again, the Format Preserving Encryption of

VeriShield Protect solves this problem because it can be implemented across different POS systems without the need to change the POS system software.

In a similar fashion, VeriShield Protect can solve the challenge retailers who plan to upgrade their POS system in a few years face. These retailers are often reluctant to implement changes on their existing POS systems knowing the life of a project like this will be short, and they may prefer to use their resources getting a new POS system ready to deploy. Because VeriShield Protect can be implemented without any required POS changes, it is a great solution for retailers who want to protect their current system today, and then use the same solution for their new POS system in the future.

While most retailers use private networks, many find that using the public broadband infrastructure meets their requirements. PCI DSS requires that cardholder data which traverses public networks must be encrypted. VeriShield Protect with its transaction monitoring capability and its and secure key management functionality is an excellent way to meet this requirement without any impact on POS systems.

Retailers with franchise operators often face the most challenges of all. They may have multiple POS systems used by their operators and different systems they use in corporate stores. It is not uncommon for these retailers to have some operators access their network over a public broadband architecture. And finally, getting all of the franchise operators to implement common POS or store systems at the same time is usually impossible. By implementing a common payment terminal across all corporate and franchise locations that supports VeriShield Protect, retailers with franchise locations can insure that their customers’ cardholder will be protected whether they pay in a corporate or franchise owned store.

VeriShield Protect solution provides a wide range of benefits for all entities in the payment chain.

First, VeriShield Protect allows retailers to cost-effectively address three of the most difficult and expensive PCI DSS requirements.
· Requirement 3: Protect stored cardholder data
· Requirement 4: Encrypt transmission of cardholder data across open, public networks
· Requirement 5: Restrict physical access to data

Among the other key benefits are:
· Cardholder data is never exposed in the clear in the POS Environment
· Real-time monitoring improves encryption compliance and reduces the impact of costly audits, loss-prevention methods, and potential breaches
· There’s little or no impact on current POS systems and payment networks—no degradation of performance, and no changes required for most existing software
· BIN range checking continues to function as is, and nonpayment cards can be processed without encryption, if desired
· Cardholders are not impacted

For more information about VeriShield Protect and End-to-End Encryption, visit our web site www.verifone.com/verishield and download two white papers: “Protecting Cardholder Information: The Elusive Goal” and “Understanding End-to-End Encryption.”

California Financial Code and PCI Touchscreen Requirements

There has been some confusion in the market about how to meet the California Financial Code requirements and still meet PCI requirements on touch screen terminals. This bulletin is intended to clear that confusion up.

The California Financial Code requires that retailers provide tactile keypads to allow PIN entry for sight impaired individuals. While California is the only state with this law, and the federal regulations at the moment do not require this, several organizations have pushed national retailers to make the same accommodations. These organizations include the American Council for the Blind and the American Federation for the Blind, and in some cases those group’s state organizations. Several retailers have negotiated settlements with these groups after legal action was initiated. The most recent was Target, which settled on May 14th this year. In that case, Target agreed to upgrade every payment device to have a tactile keypad. The California Financial Code requires retailers to have a tactile keypad at every lane, except those retailers with just two lanes, who are allowed to have a tactile keypad in only one of those two lanes.

While the California law does not spell out specifics for the keypad, the associations for the blind, and the Federal Code call out several very specific requirements including the number layout, the raised dot on the 5 key, and the colors and raised symbols on the clear, enter and cancel keys. VeriFone products with keypads such as the MX 800 Series, the PP1000SE and the Vx 810 all meet these requirements.

The PCI Security Standards Council is concerned with the integrity of the payments system, not its accessibility to persons with disabilities. That is why the PCI PED requirements do allow a virtual PIN Pad on touch screen only terminals. While it was not spelled out in the early PCI PED requirements, the more current versions clearly state that overlays of any kind are not allowed on touch screen. This includes both keypad overlays which would provide accessibility to sight impaired individuals as well as protective overlays. The reason for this is the potential for criminals to embed technology within any kind of touch screen overlay that could be used to capture an individual’s PIN number. Whether this is a real or perceived threat, both MasterCard and Visa have confirmed that any kind of overlay on a touch screen device is not PCI compliant.

Retailers wanting to meet both PCI requirements as well as provide access to sight impaired individuals have two choices. First install a product that has a tactile keypad built in like the MX830, MX850, MX860 or MX870, or second, for products with touch screen only keypads, add an attached PIN Pad like the PP1000SE.

Thursday, August 13, 2009

Tactile PIN Debit Keypads required in all stores by 1/1/10.

Several years ago, the California Legislature passed Financial Code 13082, which requires all point-of-sale devices that have a touch screen keypad to also offer a tactile keypad to allow visually impaired individuals to enter their PIN securely. As of January 1, 2010 all retailers must comply with this law, which requires all retailers with more than 2 such devices to equip each one with a tactile keypad, and those with 2 lanes or less to equip one such device.

The actual text of the California law follows.


California Financial Code 13082
Sourced at: http://www.leginfo.ca.gov/calaw.html

(a) Whenever a point-of-sale system is changed or modified to include a video touch screen or any other nontactile keypad, the point-of-sale device that would include the video touch screen or nontactile keypad shall also be equipped with a tactually discernible numerical keypad similar to a telephone keypad containing a raised dot with a dot base diameter between 1.5 millimeters and 1.6 millimeters and a height between 0.6 millimeters and 0.9 millimeters on the number 5 key that enables a visually impaired person to enter his or her own personal identification number or any other personal information necessary to process the transaction in a manner which provides the opportunity for the same degree of privacy input and output available to all individuals.

(b) (1) On or before January 1, 2010, any existing point-of-sale system, except as provided in paragraph (2), that includes a video touch screen or any other nontactile keypad shall also be equipped with a tactually discernable keypad as described in subdivision (a).
(2) At locations equipped with two or less point-of-sale machines, only one point-of-sale machine shall be required to be equipped with a tactually discernible keypad on or before January 1, 2010, as described in subdivision (a).

(c) On and after January 1, 2006, a manufacturer or distributor shall be required to offer for availability touch screen or other nontactile point-of-sale devices to be used and sold in this state that are equipped with tactually discernible keypads as described in subdivision (a) that enable a visually impaired person to enter his or her own personal identification number or any other personal information necessary to process a transaction in a manner that ensures personal privacy of the information being entered.

(d) As used in this section, "point-of-sale device" includes any device used by a customer for the purchase of a good or service where a personal identification number (PIN) is required, but does not include the following: (1) An automated teller machine as defined in subdivision (c) of Section 13020. (2) A point-of-sale device that is equipped to, or exclusively services, motor fuel dispensers. (e) This section shall not be construed to preclude or limit any other existing right or remedy as it pertains to point-of-sale devices and accessibility.

Wednesday, August 12, 2009

The Evolution of Payment Terminal Standards

Almost since the inception of payment terminals, there has been concern about criminals tampering with these devices to capture card information for fraudulent purposes. In 1997, Visa issued the first security requirements for PIN Entry Devices. Effective January 1, 2008, all newly deployed PIN entry terminals were required to meet this standard. Manufacturers did not have to submit terminals to independent labs for certification against this standard; rather they simply attested that the standard was met. In 2002, Visa enhanced their PED security program with additional security requirements and the requirement that terminals be submitted to a Visa approved lab for approval. In May of 2003, Visa announced that effective January 1, 2004, all newly deployed terminals must meet this standard and as of July 1, 2010, all installed terminals must have met this standard and independently tested by a lab.

In 2004, MasterCard and Visa agreed to develop one set of PIN Entry Device requirements, which became known as PCI PED. As part of this agreement they announced that all newly deployed terminals after January 1, 2008 must meet this requirement.

In 2005, the card associations (American Express, Discover, JCB, MasterCard and Visa) formed the PCI Security Standards Council to standardize payment standards they required retailers to adhere to (The PCI DSS or Data Security Standard). In September 2006, the PCI SSC announced that they would take over the management and development of the PED Standard, and they released the PCI PED 2.0 Requirements in April of 2007. Next in the evolution of Payment Terminal Standards will be the introduction of the PTS (PIN Transaction Security Program) at the PCI SSC community meeting in September 2009.

The following chart illustrates the timeline of the evolution of payment terminal standards.


Interesting Skimmer Found in a US retailer


Here is an interesting picture of a skimmer, apparently uncovered by Knoxville area law enforcement. Its the first time I have seen a picture of an the entire top case of a payment terminal being used as a skimming device!

The full article is

Tuesday, August 11, 2009

Wireless Check Deposit via the iPhone


Pretty neat application from USAA which lets customers deposit checks wirelessly by taking a photo of both sides of the check using the iPhone's built-in camera, and then sending an image of a check directly to USAA where it can be verified and deposited.


See the complete story here