Products

Key Injection

 

 

 

 

 

 

Security Regulations Information Center

Payment product security information can change from time to time. POSDATA posts this information here as we receive it. For more information or for help with all your electronic payment needs, contact our electronic payment experts. We can help you choose the right solution for your needs.

White Papers

Card Payments Roadmap in the United States: How Will EMV Impact the Future Payments Infrastructure?
A Smart Card Alliance Payments Council White Paper
► Download the whitepaper

PCI Accepting Mobile Payments with a Smartphone or Tablet
This whitepaper from the PCI Security Standards Council discusses the expanding payment capabilities of mobile devices and solutions for maintaining data security throughout the payment lifecycle.
► Download the whitepaper

PCI  Security Standards Council Provides Guidance to Merchants on Mobile Payment Acceptance Security
This whitepaper from the PCI Security Standards Council provides a customized fact sheet offering tips for leveraging PCI Standards to accept mobile payment securely.
► Download the whitepaper

PCI PED Considerations for New Purchase Decisions
This whitepaper from Hypercom outlines the decisions retailers must make when selecting new technology, so that they reduce the risk of compromise and extend the potential serviceable life of the product selected today.
► Download the whitepaper

PCI PED Compliance - Understanding the Impending PCI Deadlines
This whitepaper from VeriFone contains:
A clear analysis of the PCI PED mandate and why you and your merchant should take action now.
Tips on how to move your merchants to compliance prior to the PCI PED deadline
A replacement chart for VeriFone PCI PED devices.
A better knowledge of the evolution of PED standards and three classes of PED devices.
Key dates for PCI PED implementation and mandates.
► Download the whitepaper

Announcements

► ID TECH Commits to Developing PCI SRED Card Readers to Enable "P2PE"

► Vendorsafe - What VISA's EMV Announcement Means - 07/16/12

► Verifone Perspectives on EMV in the U.S. - 02/01/12

► Visa Announces Plans to Accelerate Chip Migration and Adoption of Mobile Payments - 08/09/11
Visa Inc. announced plans to accelerate the migration to EMV contact and contactless chip technology in the United States. The adoption of dual-interface chip technology will help prepare the U.S. payment infrastructure for the arrival of NFC-based mobile payments by building the necessary infrastructure to accept and process chip transactions that support either a signature or PIN at the point of sale.

► Ingenico Press Release - Migration and Adoption of EMV in the United States

► Ingenico FAQ's - Europay, MasterCard & Visa (EMV Smartcard - Chip & PIN)

Interlink Merchants Must Use TDES at Point of Sale by July 2010
Abstract: The confidentiality of cardholder Personal Identification Numbers (PINs) when used at point-of-sale (POS) PIN-Entry Devices (PEDs) depends on the full compliance of all payment system participants with the Payment Card Industry (PCI) PIN Security Requirements. To ensure the continued secure protection of PIN-based transactions, Visa established requirements for the use of Triple Data Encryption Standard (TDES) for PIN encryption at all POS PEDs. Effective July 1, 2010, all Interlink-accepting POS PEDs and host systems must use TDES for the protection of PINs.
► Download the document

PIN Entry Device Testing Program Changes Effective December 31, 2007
Abstract: Visa’s PIN Entry Device (PED) testing program, which was introduced in 2003, is transitioning to the PCI Security Standards Council. As part of this transition, PEDs tested under the original, Visa-only program will be removed from the Approved PIN Entry Devices list, effective December 31, 2007. Acquirers, processors, merchants and agents will need to plan now to purchase point-of-sale (POS) PEDs in compliance with these program changes.
► View the announcement from VISA (includes Visa PIN Entry Device Frequently Asked Questions)

Ingenico eNTouch 1000 and eNCrypt 2100 Product Announcement
Abstract: Changes in Visa PCI security regulations may affect your Ingenico eNTouch 1000 and eNCrypt 2100 installations.
► See this information in PDF format.
See also VISA PED-certified Ingenico i6550 and Ingenico 6780 POS payment terminals.

Notification of PCI De-listing of POS PIN Entry Device — Update
MasterCard is providing updated information regarding the Ingenico point-of-sale (POS) terminal i3070 models i3070MP01 and i3070EP01 that were de-listed from the Payment Card Industry (PCI) PIN Transaction Security (PTS) Approved Product List.
► View this notification from MasterCard

Industry News Flash from VeriFone: Pin Pad Tampering
Abstract: VeriFone assures that none of its VISA PED or PCI PED (Payment Card Industry PIN Entry Device) approved terminals were part of the recent tampering stories and that solutions such as the VeriFone MX800 Series meet all current PCI PED Security Requirements, including tamper prevention and detection. VeriFone explains the process of tampering, describes current industry security requirements to prevent tampering, describes payment terminal security, and outlines the steps needed to improve PIN pad security.
► Get this document in PDF format or
► Visit the VeriFone website
VISA also provides security information on their website.

FAQ's

VISA's General PED Frequently Asked Questions
Requirements, how to implement, definitions and explanations.
► Find the answers to your questions (PDF)

PCI Approval Status for POS PED Terminals (Article provided by MasterCard Worldwide)
Abstract: MasterCard provides a useful table showing when a terminal can be sold, how long it can be used in the field and when it must be removed. Covers the expiry of the Pre-PCI, (VISA PED) approval.
► Download this document

 

Information

Visa Bulletin - Encrypting PIN Pads Must Be Industry-Approved
Visa reminds clients that they are required to purchase and deploy only PCI-approved EPPs, which undergo rigorous testing to ensure the highest level of security for cardholder PINs.
► Read the bulletin

Visa Updates the Compromised PIN Entry Device Listing and Reminds Members of Upcoming Mandatory Sunset Dates
Compromised point of sale (POS) PIN entry devices (PEDs) have been used in tampering and skimming attacks to capture PIN and magnetic stripe card data. Visa members must take action to mitigate the risks introduced by these compromised POS PEDs. This bulletin provides a list of the known compromised POS PED makes and models and skimming prevention best practices.
► Download this document

Migrating From a Single DES Key to a Triple DES Key in a Triple DES-Capable Terminal
MasterCard is providing guidance about how merchants and acquirers should migrate from a Single Data Encryption Standard (Single DES) key to a Triple DES key in a Triple DES capable point-of-interaction (POI) terminal.
► Download the document

Retirement of Pre-PCI Attended POS PIN Entry Devices
VISA provides retirement planning tools for your pre-PCI attended POS PIN entry devices, including:
A table listing the three device categories and their associated sunset dates
PED retirement planning best practices
Links to related documents
► View this resource from VISA
Note: In this bulletin, Visa announced a mandatory sunset date of 31 December 2014 for all pre-PCI attended POS PEDs. However, a newer bulletin, Visa Updates Compromised PIN Entry Device Listing and Reminds Members of Upcoming Mandatory Sunset Dates, recommends that certain devices should be replaced as soon as possible to prevent tampering.

PIN Entry Device Program Information Update
Several initiatives to improve PIN security and transaction protection are approaching a key deadline in July 2010. These include adoption of Triple -DES (TDES) encryption requirements and point-of-sale PIN entry device (POS PED) hardware certification. This security standards compliance update shows the progression of the requirements, discusses Triple DES and summarizes the POS PED categories and applicable dates.
► Download the document

POS PIN Entry Device Vulnerabilities
Compromised point-of-sale (POS) PIN-entry devices (PEDs) equipped with tapping mechanisms designed to capture PIN and card data have recently been found in the U.S. marketplace. Visa clients must take action to mitigate the risks introduced by these compromised POS PEDs.
► Download this document

Differences Between PCI-PED 2.0 and 2.1
There are no functional differences or new requirements between PCI-PED 2.0 and 2.1, as shown in the table below.
► View the current PCI 2.x security requirements (source of the table below).

Date
Version
Description
9/2006
2.x
Draft published for comment
11/2006
2.x
Formatting changes
4/2007
2.x
A1, A7, A11, B1, B4, B11, B13, D1, D4
7/2007
2.0
PCI Security Standards Council adoption of PED requirements
1/2009
2.1
Clarifications and errata

Visa TDES Seminar Recap
In early September 2009, Visa held a webinar about TDES compliance and Visa best practices.
► Here is a link to that slide presentation Please pay particular note to pages 11-17.

PCI DSS Wireless Guidelines
This document provides the first highly specific, actionable wireless operational guide for complying with PCI DSS, including:
- Generally applicable wireless requirements: These are requirements that all organizations should have in place to protect their networks from attacks via rogue or unknown wireless access points (APs) and clients.
- Requirements applicable for in-scope wireless networks: These are requirements that all organizations that transmit payment card information over wireless technology should have in place to protect those systems.
► Download this document

New PCI Security Information: PCI DSS v1.2 Released
Abstract: The Payment Card Industry Security Standards Council (PCI SSC) has released the new version 1.2 of the Data Security Standard (DSS) . Find out how this change will impact PCI validation for your company.
► Download this document.

PIN Pad Security Best Practices
Abstract: Due to repeated targeting of pre-PED PIN Pads and Payment Terminals, VeriFone has developed PIN Pad Security Best Practices. These best practices first enable a retailer to determine if any existing terminals have been tampered with, and second make tampering much more difficult by implementing a comprehensive set of security controls to prevent tampering and more quickly become aware if tampering has occurred.
► View the PIN Pad Security Best Practices
Additional information can be found on VeriFone's Retail Payment Security web site at www.secureretailpayments.com.

Press Releases

PCI Security Standards Council Releases Version 3.0 of PTS Security Requirements
On May 12, 2010, the PCI Security Standards Council (PCI SSC) announced the publishing of version 3.0 of the PIN Transaction Security (PTS) Point of Interaction (POI) security requirements. Version 3.0 streamlines and simplifies testing and implementation by providing a single set of modular evaluation requirements for all Personal Identification Number (PIN) acceptance Point of Interaction terminals.
► Go to the Council's website for the updated standard and detailed listing of approved devices.
► Download PCI SSC press release (PDF)

Industry News Flash from VeriFone: Pin Pad Tampering
Abstract: VeriFone assures that none of its VISA PED or PCI PED (Payment Card Industry PIN Entry Device) approved terminals were part of the recent tampering stories and that solutions such as the VeriFone MX800 Series meet all current PCI PED Security Requirements, including tamper prevention and detection. VeriFone explains the process of tampering, describes current industry security requirements to prevent tampering, describes payment terminal security, and outlines the steps needed to improve PIN pad security.
► Get this document in PDF format or ► visit the VeriFone website.
VISA also provides security information on their website.