Feeds

PCI approval yanked from PIN entry kit

Safety first

The Power of One eBook: Top reasons to choose HP BladeSystem

Updated PCI certification has been withdrawn from two older PIN entry devices from Ingenico following concerns they were vulnerable to manipulation by cybercrooks.

In a leaked memo, Visa says PCI certification has been withdrawn from two previously approved products from Ingenico - the i3070MP01 and the i3070EP01 - as a "precaution", retail industry site storefrontbacktalk.com reports. The devices were mainly used in the US.

The memo also raised warnings against a larger number of "untested" devices, including four VeriFone units (PINpad 101, 201 and 2000 and the Everest model P003-3xx), two Hypercom units (S7S and S8) and another Ingenico PIN pad (eN-Crypt 2400). A caution was also filed against a further pre-PCI approved unit from Ingenico, the eN-Crypt 2100.

The warning, which included anti-skimming advice, stems from concerns that older PIN entry devices can be physically tampered with without triggering detection. Among the scenarios sketched out by Visa is the possibility for crooks posing as service personnel to swap out legitimate devices for doctored kit that harvest credit card information for use in later frauds or for selling on through underground carder forums.

In a statement, Visa Europe confirmed the market withdrawal of the two Ingenico devices, following their removal from an approved list of kit maintained by the payment card industry's PCI Council.

Earlier this year, the Payments Card Industry Security Standards Council (PCI SSC), in co-ordination with the manufacturer Ingenico, revoked the approval of the i3070MP01 and i3070EP01 devices. The revocation removed these devices from the PCI SSC maintained approval list and cancelled any existing approval issued by the PCI SSC for these devices. Based on this revocation, Visa Europe then withdrew its approval for these devices.

Visa takes seriously all reported threats to the integrity of the card payment system and fighting fraud remains a key priority.

Visa is encouraging retailers to switch over to PIN entry devices that are PCI-compliant. Retailers will be expected to shoulder the cost of this move, which comes at a time when merchants in countries such as Canada are undertaking the migration to terminals based on Chip and PIN. These have been commonplace in Europe for some years.

The Payment Card Industry Data Security Standard (PCI DSS) compliance programme covers regulations for security across the credit card industry. Merchants who fail to demonstrate compliance with the 12 point PCI guidelines risk having their ability to process plastic payments withdrawn, at worst, or fines and audits. Merchants are advised to only use PIN entry devices approved by the PCI SSC security standard. ®

Update

An earlier version of this story incorrectly reported that the Ingenico devices had been pulled from the market at the instigation of Visa, rather that the PCI Council, the real driver behind the move. The Payment Card Industry Security Cards Council (PCI SSC). The PCI SSC manages the implementation of PCI DSS, amongst other standards. Its membership includes everyone from retailers and banks to payments processors and vendors. "Whilst Visa Europe strongly supports the development and implementation of PCI DSS, it is an independent standard," a Visa spokeswoman explained. "Visa is not involved in the process of awarding or withdrawing PCI certification."

Designing a Defense for Mobile Applications

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.