PCI PED Compliance_4-7-10 - Verifonezone.com

PCI PED ComplianceLori BreitzkeApril 2010

Introduction• This presentation is geared to merchant acquirers and ISOs inthe financial services industry that sell to small to mid-sizedmerchants• It is not designed for:– Petroleum ISVs– Multi-lane retailers– VARs– Transportation– Retail Banking• If you’re in the petroleum space visit:http://www.verifone.com/sites/secure-pumppay.aspx• If you’re in the multi-lane retail space visit:http://www.verifone.com/mx-800-series.aspx2

Agenda• Breach Concerns• What is PCI PED?• Sample Scenarios• Marketing Materials Available• Partner Offers• Q&A3

Why Worry About A Breach?• Industry research indicates that many merchants do not knowmuch about security• In fact, Visa research indicates that compliance was lowestamong level 4 merchants• According to industry research by Verizon, 81 percent of theorganizations that experienced a breach “were not PaymentCard Industry (PCI) compliant,”• 75 percent of the breaches it investigated involved the retail (31percent), financial services (30 percent) and food & beverage(14 percent) industries• More than 80% of breaches since 2005 have happened at smallmerchants• You only hear about the bigger breaches but smaller ones occurevery day4

What Is PCI PED?• PCI PED requirements are primarily concerned with devicecharacteristics impacting the security of the PIN Entry Deviceused by the cardholder during a financial transaction.• These rules are to protect the consumer from fraud.• There are two factors involved in PCI PED requirements.– Device characteristics – the physical and logical securitycharacteristics of the device that deter a physical attack on thedevice—for example, the penetration of the device to determine itskey(s) or to plant a PIN-disclosing “bug” within it or allowing thedevice to output a clear-text PIN-encryption key– Device management considers how the PED is produced, controlled,transported, stored, and used throughout its lifecycle• The deadline to remove PCI PED ‘never approved’ devices fromthe market is July 1, 2010– Most of these devices were manufactured before 20045

PED Approval RecapNever ApprovedVisa PED ApprovedMerchants/RetailersMust Stop PIN use byJuly 2010Manufacturers MUSTNOT place for PIN afterDecember 2007But can use indefinitelyPCI PED ApprovedManufacturers MUSTplace for PIN entry after12/20076

Impact To The Retailer/Merchant• There has been much confusion over the impact to a retailerwho does not meet the Visa July 1, 2010 mandates for paymentsecurity• To review, there are three different mandates from Visa thatmust be met by US merchants by July 1, 2010. These are:– All never approved payment devices on which PIN debit transactionsare conducted must be removed from service. This includes anyterminal that is not either VISA PED or PCI PED.– All debit card PINs must be encrypted in TDES from the paymentdevice– All applications that “store, process, or transmit cardholderinformation” must be PA-DSS or PABP compliant7

How Do I Upgrade My Merchants?• Replace never approved devices with higher-functioning devices• Add a compliant PCI PED approved PIN Pad like the PP1000SE• Use this opportunity as a way to add value to replace the olderdevice– Value added applications• Gift card• Loyalty– PIN debit– Faster devices– Pay at the point of service8

How To Upgrade Your Merchant – Sample Scenario• Type of Retailer: Sporting Good Store• Scenario: Accepting electronicpayments for many years using an Omni3210 countertop device• Upgrade Strategy:• Omni 3210 utilizing debit will need tobe replaced OR– A PIN Pad 1000SE can be added to thedevice– A configuration option would need to bechanged in SoftPay to enable theexternal PP1000SE9

How To Upgrade Your Merchant – Sample Scenario• Type of Retailer: Jewelry• Scenario: Accepting electronic payments for many yearsusing an Omni 3740 countertop device. The merchantaccepts credit and debit using an external PP1000SE• Upgrade Strategy:• Verify the PIN Pad 1000SE has TDES keys injected• If the correct keys are not injected, the PIN Pad will need to beshipped to a distributor and have the proper keys injected10

How To Upgrade Your Merchant – Sample Scenario• Type of Retailer: Specialty Retailer• Scenario: Accepting electronic payments using an V x 510countertop device and PIN Pad 1000SE with DUKPT keys• Upgrade Strategy:• Proper TDES keys must be injected into the PP1000SE– The PIN Pad will need to be shipped to a distributor and havethe keys injected– OR a NEW PIN Pad 1000SE with TDES keys injected can be addedto the device and the older PP returned11

How To Upgrade Your Merchant – Sample Scenario• Type of Retailer: Beauty Salon• Scenario: Accepting electronic payments using an NURIT2085+ countertop device• Upgrade Strategy:• Replace the NURIT device with a V x 510 using the internalPIN Pad with TDES keys injected12

Acquirer Collateral• White Paper• Flyer• FAQs• How to upsell your merchants• Tool Kit (Interactive PDF)• Product Upgrade Chart• All materials are available on thelanding pagewww.verifone.com/pciped• And the VeriFone Zonewww.verifonezone.com13

Merchant Collateral• Merchant Educational Package– Easy to understand overview, product charts, frequentlyasked questions, additional resources• Merchant Flyer– One page sheets with key dates and deadlines• Online Resources:– PCI Security Council– Merchant SAQ– www.verifone.com/pciped (Merchant Tab)14

PCI PED Landing Page• Breach Calculator• Countdown clock• Collateral• White Paper• Product Upgrade ChartCountdown ClockBreach CalculatorProduct UpgradeChartCollateralWhite Paper15

PCI PED Compliance ChartThis chart appliesto countertop andmobile merchants16

PCI PED Compliance ChartThis chart appliesto multi-lane retaildevices17

PIN Pad 1000SE• Number one selling PIN pad in theindustry!• Easy to use PIN debit entry• PCI PED approved to meet the lateststandards for secure PIN entry• Future-proof payment solution, fullyupdatable and compatible• Provides the best protection againstfraud for merchants and consumers;• USB option provides another way toconnect to a PC software programwhich minimizes cabling andcountertop clutter18

Additional Resources• PCI PED websitehttps://www.pcisecuritystandards.org/security_standards/ped/index.shtml• PCI PED list of approved deviceshttps://www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.html• VeriFone Security Page www.verifone.com/security• Secure Retail Paymentshttp://www.verifone.com/industry-solutions/retail/payment-trends--security/secureretailpaymentscom.aspx• Visahttp://broadcast01p.visabroadcasts.com/doc/20090422091220/5163459b29ec9fcdb6f98ceddad92d3d19