320 likes | 739 Views
Today's Topics. Payment Industry Security UpdateWhat is Tampering? PCI PED RequirementsPIN Pad Best PracticesVeriFone Security ProductsAdditional Payment Security Resources. Introduction. Recent PIN Pad Tampering Disclosures Have Not InvolvedVISA PED Approved TerminalsPCI PED Approved TerminalsVeriFone's Current Integrated PIN Pad Offering is SecurePIN Pad 1000SESC5000 PIN PadEverest PlusOMNI 7000OMNI 7100MX800 Series.
E N D
1. PIN Pad Best PracticesWebinar Jeff Wakefield
Vice President of Marketing
Integrated Systems
VeriFone
February 26, 2007
3. Introduction Recent PIN Pad Tampering Disclosures Have Not Involved
VISA PED Approved Terminals
PCI PED Approved Terminals
VeriFone’s Current Integrated PIN Pad Offering is Secure
PIN Pad 1000SE
SC5000 PIN Pad
Everest Plus
OMNI 7000
OMNI 7100
MX800 Series
4. Security Breaches Continue…….
5. And the Industry Remains Unprepared As of December 12, 2006:
1,200 Level 1 & 2 Merchants
Process Minimum of 1 Million Transactions Per Year
Only 36% of Level 1 Merchants Are Compliant
Only 15% of Level 2 Merchants Are Compliant
6. State of Payment Industry Security The Problems:
Organized Crime has Learned to Hack
Taking Advantage of Security Deficiencies
Using the Internet to Mask their Activity
Lack of Detection provides 6-8 Month Edge
Hack to Distribution Time is Decreasing
Recent Case: 1 Day from Hack to Over $200K
Deep Understanding of POS Systems
Focus on Track Data and ATM PINs
Operate in Multi Countries Simultaneously
Websites with Tools & POS Information
Wide Availability of “Unapproved” PIN Pads
Penalties Less Severe Than Other Profitable Crimes Like Drugs
7. The Problems:
Security Standards are Still Propagating
Small Merchant Population Still Unaware
Integrators Lack Security Know-How
Many Non-Compliant POS Systems Still Exist
New Effort for Payment Application Developers
Achieving Compliance can be costly
“Unapproved” PIN Pad Terminals are Still Deployed
Security is only as strong as the weakest link in the chain State of Payment Industry Security
8. Street Prices Of Card Information
9. How Are Bugs Installed? PIN Pads Purchased on the Used Market, or
PIN Pads Removed from Retailer Location
Bugs Are Inserted
PIN Pads Re-installed at Retailer Location
10. How is Compromised Data Recovered?
11. Current Payment Security Standards PED, VISA PED, PCI PED
Applies to the Payment Terminal Only
PIN Security Program
Applies to end to end management and encryption of keys
PCI DSS
Applies to the Retailer’s Entire System
VISA CISP, MasterCard SDP, Amex DSOP, Discover DISC
Applies to the Entire System
Requires PCI DSS
PABP
Applies to purchased software applications
Not Currently Required for PCI DSS or Association Standards
Required By Some Acquirers
12. PIN Entry Devices Currently there are three types PIN Entry Devices (PED) in use
Non-Approved Devices (Pre 2004)
VISA PED Approved Devices (2003 – 2006)
PCI PED Approved Devices (2006 onwards)
Two Other Categories
EPP – Encrypting PIN PAD
Modules Used in Self Service Devices
Kiosks, Gas Pumps, Ticketing Machines, etc.
ATM – Automated Teller Machines
The Major Card Associations Support the Same Requirements
13. Non-Approved PIN Entry Devices These devices have never been tested
Examples:
Omni 490, Everest (*)
Manufacture’s Can Not Sell After September 30, 2004
Retailer’s Must Remove From Service By June 30, 2010
Penalty For Non-Compliance
Acquirers not covered in the event of a PIN Compromise
Loss & Card Reissue Costs Likely to be Passed to Retailer
Liable for Penalties per Association Operating Regulations
Card Associations Could Revoke Merchant Services Agreement
(* Contact Your Account Executive to determine your version)
14. VISA PED Approved PIN Entry Devices Currently Being Sold, Installed and Used by Retailers
Examples
Everest Plus*, Omni 7000
Required for Manufacturer’s to Sell After January 1, 2004
Manufacturers Can Not Sell After December 31, 2007
Retailer’s Can Purchase Before 12/31/2007 and deploy later
There is no Sunset Date for Retailers to Remove from Service
(* Contact Your Account Executive to determine your version)
15. Deployment After December 31, 2007
16. Deployment After December 31, 2007
17. Pre-PCI Approved Device Sunset Date
18. PCI PED Approved PIN Entry Devices Currently Being Sold, Installed and Used by Retailers
More stringent than VISA-PED [Replaces VISA-PED]
Tamper responsiveness - active security
Expanded lab freedom to pursue sophisticated attack certification testing
Examples
MX830, MX850, MX870
All Newly Introduced Devices Must be Certified Against this Standard
Required for Manufacturer’s to Sell After January 1, 2008
Manufacturers Can Not Sell After April 1, 2014
There is no Sunset Date for Retailers to Remove from Service
19. PCI PED 1.3 Requirements Tamper Protection
Cryptographic Control of Prompting
Prevent PIN Monitoring
Deter Visual Observation of PIN Entry
Not Practical to Build a Duplicate PED
Logical Software Security Against Tampering
Authentication of Software Applications
No Unnecessary Storage of Sensitive Data
DUKPT Keys or Fixed Key Security
Encryption & Key Management Requirements
Credit Card Reader Security
Manufacturing Security & Process Requirements
Shipping Security & Process Requirements
20. VeriFone PCI PED Certified Devices
21. Approved PIN Entry Devices
22. PIN Pad Best Practices Immediately perform a visual inspection on every terminal. If the inspector notices anything that looks out of the ordinary, have the unit checked by an authorized repair facility.
Have the inspector verify that the serial number printed on the bottom of the terminal matches the internally stored serial number. Immediately remove from service any devices where these serial numbers do not match.
Implement a procedure to require all repair technicians who visit your stores log in, verify their identity, and do not allow them to work on PIN Pads unaccompanied.
Review the installation of your PIN Pads. They should be mounted on the counter, unplugging cables should require more than turning the unit over, and you may want to consider locking stands. If you are interested, VeriFone is developing locking stands. Contact your VeriFone Account Executive for more details.
23. PIN Pad Best Practices Review your POS to PIN Pad terminal interface to determine if it tracks or identifies the serial number of the attached PIN pad. If not, consider implementing such a software security scheme.
Only purchase PIN pads from a manufacturer or manufacturer’s authorized partner. Unauthorized resellers, such as may be found online at sites such as EBAY, may potentially sell devices that are already compromised, whether intentional or unwittingly.
For similar reasons, have your PIN Pads repaired at the manufacturer or an authorized manufacturer’s repair center which has completed a TG3 Key Injection audit.
24. PIN Pad Best Practices You Must Develop a Response Plan!
Ensure you know what to do in the event an attack is identified
Determine If You Can Respond, or if a Third Party is Required
You must be able to answer:
How do we respond?
Who is in charge of our response?
Internal Systems
External notifications
Do we have records of changes to the environment?
What “real” response capabilities do our internal teams have?
When do we need to involve outside experts?
Who do we call first?
25. VeriFone Payment Security Products PIN Pad Security Audit
Secure Terminal Retirement
VisualPayments Device Solutions
Locking PIN Pad Stands
26. PIN Pad Security Audit Terminal Security Audit & Cleaning
Retailer Purchases Seed Stock of Terminals
Terminals Sent to VeriFone Repair Facility
List of Terminals Sent to VeriFone, or
Terminal List Created as Terminals Received
Call Tags Issued for Return to VeriFone, or
Retailer Manages Return to VeriFone
Terminal Serial Numbers Captured
PIN Pad Audited for Evidence of Tampering
Terminals Cleaned and Returned to Stores
Report Sent to Retailer
Contact VeriFone Account Executive for Details
27. Secure Terminal Retirement Terminal Destruction and Environmental Recycling
Terminals Sent to VeriFone Repair Facility
List of Terminals Sent to VeriFone, or
Terminal List Created as Terminals Received
Call Tags Issued for Return to VeriFone, or
Retailer Manages Return to VeriFone
Terminal Serial Numbers Captured
Secure Chip Drilled to eliminate keys
Terminals Crushed and Recycled
Report Sent to Retailer
Contact VeriFone Account Executive for Details
28. VisualPayments™ Device Solutions Device Solutions is Part of Visual Payments Suite
Available for MX800 Series Products
Detects and Alerts PIN Pad Removal & Installation
Insures Proper Operating System and Software are Installed
Also Supports Remote Diagnostics and Support
Contact VeriFone Account Executive for More Details
29. Locking PIN Pad Stands Prevents Unauthorized Removal & Replacement of PIN Pads
Contact Your Account Executive for More Details
30. VeriFone Security Website To Be Launched This Week
News Articles
VeriFone PIN Pad Best Practices
ATMIA Best Practices for POS Security
Links to Association Security Web Sites
Status of VeriFone Products
Link to Webinar for Replay
PIN Pad Best Practices Presentation
VeriFone PCI Security Presentation
Email PaymentSecurity@VeriFone.com for Mailing List
31. VeriFone Retail Payments Conference
32. Questions? Jeff Wakefield
Vice President of Marketing
Integrated Systems
VeriFone
300 South Park Place Blvd.
Clearwater, FL 33769
727-953-4484
Jeff_W7@VeriFone.com