Feeds

PCI approval yanked from PIN entry kit

Safety first

SANS - Survey on application security programs

Updated PCI certification has been withdrawn from two older PIN entry devices from Ingenico following concerns they were vulnerable to manipulation by cybercrooks.

In a leaked memo, Visa says PCI certification has been withdrawn from two previously approved products from Ingenico - the i3070MP01 and the i3070EP01 - as a "precaution", retail industry site storefrontbacktalk.com reports. The devices were mainly used in the US.

The memo also raised warnings against a larger number of "untested" devices, including four VeriFone units (PINpad 101, 201 and 2000 and the Everest model P003-3xx), two Hypercom units (S7S and S8) and another Ingenico PIN pad (eN-Crypt 2400). A caution was also filed against a further pre-PCI approved unit from Ingenico, the eN-Crypt 2100.

The warning, which included anti-skimming advice, stems from concerns that older PIN entry devices can be physically tampered with without triggering detection. Among the scenarios sketched out by Visa is the possibility for crooks posing as service personnel to swap out legitimate devices for doctored kit that harvest credit card information for use in later frauds or for selling on through underground carder forums.

In a statement, Visa Europe confirmed the market withdrawal of the two Ingenico devices, following their removal from an approved list of kit maintained by the payment card industry's PCI Council.

Earlier this year, the Payments Card Industry Security Standards Council (PCI SSC), in co-ordination with the manufacturer Ingenico, revoked the approval of the i3070MP01 and i3070EP01 devices. The revocation removed these devices from the PCI SSC maintained approval list and cancelled any existing approval issued by the PCI SSC for these devices. Based on this revocation, Visa Europe then withdrew its approval for these devices.

Visa takes seriously all reported threats to the integrity of the card payment system and fighting fraud remains a key priority.

Visa is encouraging retailers to switch over to PIN entry devices that are PCI-compliant. Retailers will be expected to shoulder the cost of this move, which comes at a time when merchants in countries such as Canada are undertaking the migration to terminals based on Chip and PIN. These have been commonplace in Europe for some years.

The Payment Card Industry Data Security Standard (PCI DSS) compliance programme covers regulations for security across the credit card industry. Merchants who fail to demonstrate compliance with the 12 point PCI guidelines risk having their ability to process plastic payments withdrawn, at worst, or fines and audits. Merchants are advised to only use PIN entry devices approved by the PCI SSC security standard. ®

Update

An earlier version of this story incorrectly reported that the Ingenico devices had been pulled from the market at the instigation of Visa, rather that the PCI Council, the real driver behind the move. The Payment Card Industry Security Cards Council (PCI SSC). The PCI SSC manages the implementation of PCI DSS, amongst other standards. Its membership includes everyone from retailers and banks to payments processors and vendors. "Whilst Visa Europe strongly supports the development and implementation of PCI DSS, it is an independent standard," a Visa spokeswoman explained. "Visa is not involved in the process of awarding or withdrawing PCI certification."

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.