Feeds

PCI approval yanked from PIN entry kit

Safety first

Build a business case: developing custom apps

Updated PCI certification has been withdrawn from two older PIN entry devices from Ingenico following concerns they were vulnerable to manipulation by cybercrooks.

In a leaked memo, Visa says PCI certification has been withdrawn from two previously approved products from Ingenico - the i3070MP01 and the i3070EP01 - as a "precaution", retail industry site storefrontbacktalk.com reports. The devices were mainly used in the US.

The memo also raised warnings against a larger number of "untested" devices, including four VeriFone units (PINpad 101, 201 and 2000 and the Everest model P003-3xx), two Hypercom units (S7S and S8) and another Ingenico PIN pad (eN-Crypt 2400). A caution was also filed against a further pre-PCI approved unit from Ingenico, the eN-Crypt 2100.

The warning, which included anti-skimming advice, stems from concerns that older PIN entry devices can be physically tampered with without triggering detection. Among the scenarios sketched out by Visa is the possibility for crooks posing as service personnel to swap out legitimate devices for doctored kit that harvest credit card information for use in later frauds or for selling on through underground carder forums.

In a statement, Visa Europe confirmed the market withdrawal of the two Ingenico devices, following their removal from an approved list of kit maintained by the payment card industry's PCI Council.

Earlier this year, the Payments Card Industry Security Standards Council (PCI SSC), in co-ordination with the manufacturer Ingenico, revoked the approval of the i3070MP01 and i3070EP01 devices. The revocation removed these devices from the PCI SSC maintained approval list and cancelled any existing approval issued by the PCI SSC for these devices. Based on this revocation, Visa Europe then withdrew its approval for these devices.

Visa takes seriously all reported threats to the integrity of the card payment system and fighting fraud remains a key priority.

Visa is encouraging retailers to switch over to PIN entry devices that are PCI-compliant. Retailers will be expected to shoulder the cost of this move, which comes at a time when merchants in countries such as Canada are undertaking the migration to terminals based on Chip and PIN. These have been commonplace in Europe for some years.

The Payment Card Industry Data Security Standard (PCI DSS) compliance programme covers regulations for security across the credit card industry. Merchants who fail to demonstrate compliance with the 12 point PCI guidelines risk having their ability to process plastic payments withdrawn, at worst, or fines and audits. Merchants are advised to only use PIN entry devices approved by the PCI SSC security standard. ®

Update

An earlier version of this story incorrectly reported that the Ingenico devices had been pulled from the market at the instigation of Visa, rather that the PCI Council, the real driver behind the move. The Payment Card Industry Security Cards Council (PCI SSC). The PCI SSC manages the implementation of PCI DSS, amongst other standards. Its membership includes everyone from retailers and banks to payments processors and vendors. "Whilst Visa Europe strongly supports the development and implementation of PCI DSS, it is an independent standard," a Visa spokeswoman explained. "Visa is not involved in the process of awarding or withdrawing PCI certification."

The essential guide to IT transformation

More from The Register

next story
Rupert Murdoch says Google is worse than the NSA
Mr Burns vs. The Chocolate Factory, round three!
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
Think crypto hides you from spooks on Facebook? THINK AGAIN
Traffic fingerprints reveal all, say boffins
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.