Feeds

PCI approval yanked from PIN entry kit

Safety first

The Essential Guide to IT Transformation

Updated PCI certification has been withdrawn from two older PIN entry devices from Ingenico following concerns they were vulnerable to manipulation by cybercrooks.

In a leaked memo, Visa says PCI certification has been withdrawn from two previously approved products from Ingenico - the i3070MP01 and the i3070EP01 - as a "precaution", retail industry site storefrontbacktalk.com reports. The devices were mainly used in the US.

The memo also raised warnings against a larger number of "untested" devices, including four VeriFone units (PINpad 101, 201 and 2000 and the Everest model P003-3xx), two Hypercom units (S7S and S8) and another Ingenico PIN pad (eN-Crypt 2400). A caution was also filed against a further pre-PCI approved unit from Ingenico, the eN-Crypt 2100.

The warning, which included anti-skimming advice, stems from concerns that older PIN entry devices can be physically tampered with without triggering detection. Among the scenarios sketched out by Visa is the possibility for crooks posing as service personnel to swap out legitimate devices for doctored kit that harvest credit card information for use in later frauds or for selling on through underground carder forums.

In a statement, Visa Europe confirmed the market withdrawal of the two Ingenico devices, following their removal from an approved list of kit maintained by the payment card industry's PCI Council.

Earlier this year, the Payments Card Industry Security Standards Council (PCI SSC), in co-ordination with the manufacturer Ingenico, revoked the approval of the i3070MP01 and i3070EP01 devices. The revocation removed these devices from the PCI SSC maintained approval list and cancelled any existing approval issued by the PCI SSC for these devices. Based on this revocation, Visa Europe then withdrew its approval for these devices.

Visa takes seriously all reported threats to the integrity of the card payment system and fighting fraud remains a key priority.

Visa is encouraging retailers to switch over to PIN entry devices that are PCI-compliant. Retailers will be expected to shoulder the cost of this move, which comes at a time when merchants in countries such as Canada are undertaking the migration to terminals based on Chip and PIN. These have been commonplace in Europe for some years.

The Payment Card Industry Data Security Standard (PCI DSS) compliance programme covers regulations for security across the credit card industry. Merchants who fail to demonstrate compliance with the 12 point PCI guidelines risk having their ability to process plastic payments withdrawn, at worst, or fines and audits. Merchants are advised to only use PIN entry devices approved by the PCI SSC security standard. ®

Update

An earlier version of this story incorrectly reported that the Ingenico devices had been pulled from the market at the instigation of Visa, rather that the PCI Council, the real driver behind the move. The Payment Card Industry Security Cards Council (PCI SSC). The PCI SSC manages the implementation of PCI DSS, amongst other standards. Its membership includes everyone from retailers and banks to payments processors and vendors. "Whilst Visa Europe strongly supports the development and implementation of PCI DSS, it is an independent standard," a Visa spokeswoman explained. "Visa is not involved in the process of awarding or withdrawing PCI certification."

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.