Feeds

PCI approval yanked from PIN entry kit

Safety first

Internet Security Threat Report 2014

Updated PCI certification has been withdrawn from two older PIN entry devices from Ingenico following concerns they were vulnerable to manipulation by cybercrooks.

In a leaked memo, Visa says PCI certification has been withdrawn from two previously approved products from Ingenico - the i3070MP01 and the i3070EP01 - as a "precaution", retail industry site storefrontbacktalk.com reports. The devices were mainly used in the US.

The memo also raised warnings against a larger number of "untested" devices, including four VeriFone units (PINpad 101, 201 and 2000 and the Everest model P003-3xx), two Hypercom units (S7S and S8) and another Ingenico PIN pad (eN-Crypt 2400). A caution was also filed against a further pre-PCI approved unit from Ingenico, the eN-Crypt 2100.

The warning, which included anti-skimming advice, stems from concerns that older PIN entry devices can be physically tampered with without triggering detection. Among the scenarios sketched out by Visa is the possibility for crooks posing as service personnel to swap out legitimate devices for doctored kit that harvest credit card information for use in later frauds or for selling on through underground carder forums.

In a statement, Visa Europe confirmed the market withdrawal of the two Ingenico devices, following their removal from an approved list of kit maintained by the payment card industry's PCI Council.

Earlier this year, the Payments Card Industry Security Standards Council (PCI SSC), in co-ordination with the manufacturer Ingenico, revoked the approval of the i3070MP01 and i3070EP01 devices. The revocation removed these devices from the PCI SSC maintained approval list and cancelled any existing approval issued by the PCI SSC for these devices. Based on this revocation, Visa Europe then withdrew its approval for these devices.

Visa takes seriously all reported threats to the integrity of the card payment system and fighting fraud remains a key priority.

Visa is encouraging retailers to switch over to PIN entry devices that are PCI-compliant. Retailers will be expected to shoulder the cost of this move, which comes at a time when merchants in countries such as Canada are undertaking the migration to terminals based on Chip and PIN. These have been commonplace in Europe for some years.

The Payment Card Industry Data Security Standard (PCI DSS) compliance programme covers regulations for security across the credit card industry. Merchants who fail to demonstrate compliance with the 12 point PCI guidelines risk having their ability to process plastic payments withdrawn, at worst, or fines and audits. Merchants are advised to only use PIN entry devices approved by the PCI SSC security standard. ®

Update

An earlier version of this story incorrectly reported that the Ingenico devices had been pulled from the market at the instigation of Visa, rather that the PCI Council, the real driver behind the move. The Payment Card Industry Security Cards Council (PCI SSC). The PCI SSC manages the implementation of PCI DSS, amongst other standards. Its membership includes everyone from retailers and banks to payments processors and vendors. "Whilst Visa Europe strongly supports the development and implementation of PCI DSS, it is an independent standard," a Visa spokeswoman explained. "Visa is not involved in the process of awarding or withdrawing PCI certification."

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.