Insuring the security of your entire payment system is as challenging as it is critical to your business. Between the various PED categories—PCI DSS, PABP CISP, SDP, DISC, and DSOP—it is hard to determine not only what requirements apply, but how to meet those requirements.

As the leading payment solution vendor in the world, VeriFone is sponsoring this site to help merchants understand what is required to fully protect cardholder data from compromise.

It is our intent to make this the one place you need to get all of your information about payment security. From best practices documents to webinars and white papers, from recent news articles to industry updates and analysis, and from links to all of the security standards to payment conferences and webinars, VeriFone aims to make SecureRetailPayments.com the one web site you turn to for accurate helpful information to better run your business and protect your customers personal information.

VeriFone Introduces VeriShield Protect: Secures ConsumerCard Data Even When Retailer Systems Are Breached

SAN JOSE, CA – April 9, 2008 – VeriFone Holdings, Inc. (NYSE: PAY) today introduced VeriShield Protect, a system designed to thwart continuing criminal efforts to gather unencrypted account holder data via breaches of merchant networks, applications and servers that come in contact with consumer credit and debit card information.

Click here to view this article in its entirety.

Click here to view the VeriShield Protect product page and/or view the recent VeriShield Webinar: Protecting Consumer Data Security Summit.

Restoring Consumer Confidence in the Payment System

Recent breach disclosures highlight that despite card industry security mandates and retailers’ best efforts to comply with the Payment Card Industry Data Security Standards (PCI DSS), the theft of credit and debit card data remains a highly lucrative endeavor for criminal organizations.

For criminals, the gains from breaking into retail systems to obtain credit and debit card data far outweighs the risks and penalties of being caught. Whether located overseas, or sitting in a mall parking lot, these criminals do not need to physically enter a retail establishment to steal this information, but can do so through electronic means. While there have been some arrests and prosecutions of those who have used stolen information to illegally purchase goods or withdraw money from bank accounts, the masterminds behind the data thefts go virtually scott-free.

In theory, following the standards and best practices outlined in the PCI DSS should prevent the theft of such information, but in practice, that goal may be unattainable.

A retailer’s environment is far too complex to completely and constantly lock down against all intruders. An organization may have hundreds or thousands of distributed store and distribution center locations, tens of thousands of employees, and multiple connected devices, systems and networks. Maintaining constant vigilance over every access point and every place where data is stored or transported is a challenge that will likely never be fully met. With employee turnover, new store openings, new system deployments and upgrades of current systems even a system that was at one moment totally secure, is not likely to remain continuously secure.

Kings of old protected their valuables and families by building castles. As siege weapons improved, castles were fortified with ever thicker and higher walls and internal multiple layers of security around the keep. The current PCI DSS standards do no more than the kings of old did – try to stay ahead of siege technology by building stronger castles. As long as there is something of value inside the castle, or retail enterprise, the only option is to protect it. Just as castles became less effective at protecting valuables and inhabitants in the face of new technology – the cannon -- so too have the PCI DSS standards proved incapable of stopping data breaches.

As long as retailers need to accept, transmit and store credit and debit card information, organized crime will attempt to breach the retail enterprise to obtain this information. The only realistic solution lies is to eliminate credit and debit cardholder data from retail systems.

As the leader in the secure payments industry, VeriFone is introducing a solution that will help retailers better protect themselves from the consequences of a breach. VeriFone’s VeriShield Protect, utilizing patented technology from Semtek, encrypts the magnetic stripe data and the account number as it is read by the magnetic stripe reader. This is the same method of encryption now used to secure debit card PINs. The manner in which this encryption is done does not require any changes be made to retailers existing POS systems.

Retailers can install the decryption appliance at their headquarters before sending the transactions to their acquirer. In this case store systems and networks will no longer have PAN and magnetic stripe data.

The second option is for acquirers to install the encryption device. In this case, PAN’s and Magnetic Stripe Data will be removed entirely from the retailer’s systems, completely protecting consumer card information from criminals.

Currently we are working with several leading retailers to implement this technology to prevent them from becoming tomorrow’s headline. With support the card associations, acquirers and issuers, and retailers, we can end this problem and restore consumer confidence in our payment system.

VeriFone will hold a webinar on Thursday, April 10 at 2:00 P.M. EST for our most valued customers and partners to explain this solution and how we can work together to solve this growing problem. In the webinar we will first explain how VeriShield protects consumer card data and then we welcome all interested parties to participate in a discussion of how this solution can be most rapidly deployed throughout the payment system in the U.S.

If you would like to register for this event, assist in the discussion, or have any questions about VeriShield Protect, please send an email to verishield@verifone.com.

VISA CISP Compliance

Source, VISA USA, 5/31/07

Recent Security Breach Update

Recently there have been news stories about PIN pad tampering and compromised consumer account information. VeriFone wants to assure you that none of its VISA or PCI PED (Payment Card Industry PIN Entry Device) approved terminals were part of the recent tampering stories, and that solutions such as the VeriFone MX800 Series meet all current PCI PED Security Requirements, including tamper prevention and detection. It is our understanding that the recently publicized tampering events were targeted at PIN entry devices that were purchased and installed prior to formal industry data security requirements being in place.

PIN Pad Security Best Practices

The payment industry and card associations adopted PED and PCI PED requirements because of concerns that sophisticated criminal organizations may have the resources to tamper with PED terminals to install a bug and collect private card data. In Pre-PED devices, security features were left to each vendor to determine. The more recently adopted Visa PED and PCI PED requirements provide standardized security features that make tampering progressively more difficult.

We are seeing an increase in criminal organizations targeting the less secure pre-PED terminals by installing bugs to collect private credit card and debit information. In these cases, the criminal organizations are either inserting a bug into an in-place device or obtaining the same terminal model that a retailer uses, installing a bug, and then substituting the tampered device for the retailer's terminals. They then either come back to retrieve these terminals to obtain the stolen information, or in some cases, the tampered terminals send the information to another computer via wireless communications.

Due to repeated targeting of pre-PED PIN Pads and Payment Terminals, VeriFone has developed the following PIN Pad Security Best Practices. These best practices first enable a retailer to determine if any existing terminals have been tampered with, and second make tampering much more difficult by implementing a comprehensive set of security controls to prevent tampering and more quickly become aware if tampering has occurred.

If a retailer does not enact a complete PIN Pad Security program, including PIN Pad Security Best Practices, then they will remain vulnerable to this kind of tampering.

VeriFone recommends all retailers implement the following PIN PAD Security Best Practices immediately.

1. Immediately have a visual inspection performed on every device to look for potential signs of tampering. These include anything that does not look normal such as lack of tamper seals, damaged or altered tamper seals, mismatched keys, missing screws, incorrect keyboard overlays, external wires, holes in the terminal or anything else unusual. If anything out of the ordinary is noticed, stop using the device, disconnect it from the pos terminal or network, but do not power it down. Contact the security officer at the terminal manufacturer to determine the next steps. Continue to perform visual inspections weekly.
2. If your terminal contains an electronic serial number, have the electronic serial number compared to the serial number printed on the bottom of the terminal. If these do not match stop using the device, disconnect it from the pos terminal or network, but do not power it down. Contact the security officer at the terminal manufacturer to determine the next steps.

3. Develop a process to monitor devices that consistently do not work properly, such as high mag-stripe read failures or debit card declines. These can be indicators of tampered terminals. Contact the security officer at the terminal manufacturer to determine the next steps.
4. Store spare devices under lock and key to prevent unauthorized removal. Incorporate a shift change procedure to validate the inventory of devices at every shift to ensure none have disappeared.
5. Institute a procedure to track each instance in which a terminal is replaced within the store, whether from the in-store inventory, by a repair technician, or with units shipped into the store.
6. Implement a procedure to require all repair technicians who visit your stores to sign in, verify their identity with photo identification, and remain accompanied by store personnel during any work on PIN pads.
7. Review the installation of your PIN pads. They should be mounted on the counter; unplugging cables should require more than turning the unit over; and you may want to consider installing locking stands to prevent unauthorized removal. If you are interested, VeriFone has developed locking stands for the Everest, Omni 7X00 and MX800 Series products. Contact your VeriFone Account Executive for more details.
8. If the PIN Pad supports electronic serial numbers, implement a scheme to validate the PIN pad serial number every time the POS. starts up to insure the device has not been replaced, and if it has, automatically send an alert. If the device supports Ethernet connectivity, consider implementing a device management solution to track all in service devices.
9. Make sure the password for device access is not the original default password. If it is, have it changed, as default passwords become widely known. Contact your account executive if you need help changing this password.
10. Only obtain PIN pads from a manufacturer or manufacturer’s authorized partner. Unauthorized resellers, such as may be found online at sites such as eBay, may potentially sell devices that are already compromised, whether intentionally or unwittingly.
11. For similar reasons, have your PIN pads repaired at the manufacturer or an authorized manufacturer’s repair center that has completed a TG3 Key Injection audit.
12. Develop a response plan before you suspect you have had a terminal breach. Identify the steps you need to tale if you suspect a breach. Understand what to do to isolate your payment systems, and prevent future sensitive information loss. Have a list of who needs to be called including your local law enforcement, your acquiring bank, your processor, your security assessor if you use them and your payment system vendors. Make sure you have clear assignments for who needs to do what after a suspected attack and how you will respond. Designate one individual to lead this effort.

Taken together, these PIN Pad Security Best Practices should significantly reduce the risk of PIN Pad tampering and compromise. These practices are recommended to be followed even with the deployment of PCI approved PIN pads.

Additional information can be found on VeriFone's Retail Payment Security web site at www.secureretailpayments.com. To be added to VeriFone's payment security email list, please send an email to securepayments@verifone.com.

SecureRetailPayments.Com

As new information becomes available or as breaches occur, this site will be updated with the latest information.

If you would like to see information or links added to this web site, please send email to PaymentSecurity@VeriFone.com.

© 2007 All rights reserved. VeriFone, the VeriFone logo, NURIT, Omni, PAYware, Secura, SoftPay, Tranz, Verix, VeriShield, Vx and Xplorer are either trademarks or registered trademarks of VeriFone in the United States and/or other countries. The absence of a product or service name or logo from this list does not constitute a waiver of VeriFone's trademark or other intellectual property rights concerning that name or logo. All other trademarks or brand names are the properties of their respective holders. All features and specifications about VeriFone products and services are subject to change without notice.