VeriFone is asking for your Vote for the PCISSC Board of Advisors

The PCI SSC Board of Advisors is open for voting now through April 8.  VeriFone is running for a seat and we are asking for your vote.

At VeriFone we take our security leadership very seriously and don’t just join groups for the sake of saying we are members but we expend large amounts of personnel resources and expenses in order to provide our worldwide experience for the improvement of payment security.

VeriFone also contributed significant resources to the SIG Scoping work groups on Point-to-Point Encryption, Tokenization and EMV and is Chair of the Wireless SIG. VeriFone has also used its position in regional organizations to help align their initiatives with the PCI SSC. Our personnel work closely with regional associations with the benefit of our expertise in the creation of policies, best practices, and standards that meet and exceed the needs of the market.  We have taken a leadership role in educating numerous third-party distribution partners. VeriFone is committed to promoting more secure methods of payment and would welcome the opportunity to continue to serve on the PCI SSC Board of Advisors.

We appreciate your vote and support.

Dave Faoro

VP, Payment Security Officer

Leading the Industry - Serving the Industry

Insuring the security of your entire payment system is as challenging as it is critical to your business. Between the various PED categories—PCI DSS, PABP CISP, SDP, DISC, and DSOP—it is hard to determine not only what requirements apply, but how to meet those requirements.

As the leading payment solution vendor in the world, VeriFone is sponsoring this site to help merchants understand what is required to fully protect cardholder data from compromise.

It is our intent to make this the one place you need to get all of your information about payment security. From best practices documents to webinars and white papers, from recent news articles to industry updates and analysis, and from links to all of the security standards to payment conferences and webinars, VeriFone aims to make SecureRetailPayments.com the one web site you turn to for accurate helpful information to better run your business and protect your customers personal information.

VeriFone PIN Pad Security Best Practices

Due to repeated targeting of pre PED PIN pads and payment terminals, VeriFone has developed a set of PIN Pad Security Best Practices. These best practices first enable a retailer to determine if any existing terminals have been tampered with, and sec ensive set of security controls to prevent tampering and more quickly become aware if tampering has occurred.

VeriShield Protect - The most innovative, comprehensive, and definitive security solution available today.

The potential liability associated with breaches of cardholder data is daunting. The per record cost estimates for a security breach range from around $100 to several hundred dollars per record – meaning a breach could easily result in costs in the millions of dollars. Studies have also indicated that the vast majority of breaches are tied to cash-register and other POS process vulnerabilities. Unfortunately, the number of attempted and successful breaches is increasing, even among those retailers that meet PCI DSS standards and audits. Now there’s a solution that eliminates card information completely from your network by encrypting the data the moment it’s taken from the consumer’s card.

The solution is VeriFone’s VeriShield Protect.

VeriFone Introduces VeriShield Protect: Secures ConsumerCard Data Even When Retailer Systems Are Breached

SAN JOSE, CA – April 9, 2008 – VeriFone Holdings, Inc. (NYSE: PAY) today introduced VeriShield Protect, a system designed to thwart continuing criminal efforts to gather unencrypted account holder data via breaches of merchant networks, applications and servers that come in contact with consumer credit and debit card information.

Recent Security Breach Update

Recently there have been news stories about PIN pad tampering and compromised consumer account information. VeriFone wants to assure you that none of its VISA or PCI PED (Payment Card Industry PIN Entry Device) approved terminals were part of the recent tampering stories, and that solutions such as the VeriFone MX800 Series meet all current PCI PED Security Requirements, including tamper prevention and detection. It is our understanding that the recently publicized tampering events were targeted at PIN entry devices that were purchased and installed prior to formal industry data security requirements being in place.

PIN Pad Security Best Practices

The payment industry and card associations adopted PED and PCI PED requirements because of concerns that sophisticated criminal organizations may have the resources to tamper with PED terminals to install a bug and collect private card data. In Pre-PED devices, security features were left to each vendor to determine. The more recently adopted Visa PED and PCI PED requirements provide standardized security features that make tampering progressively more difficult.

We are seeing an increase in criminal organizations targeting the less secure pre-PED terminals by installing bugs to collect private credit card and debit information. In these cases, the criminal organizations are either inserting a bug into an in-place device or obtaining the same terminal model that a retailer uses, installing a bug, and then substituting the tampered device for the retailer's terminals. They then either come back to retrieve these terminals to obtain the stolen information, or in some cases, the tampered terminals send the information to another computer via wireless communications.

Due to repeated targeting of pre-PED PIN Pads and Payment Terminals, VeriFone has developed the following PIN Pad Security Best Practices. These best practices first enable a retailer to determine if any existing terminals have been tampered with, and second make tampering much more difficult by implementing a comprehensive set of security controls to prevent tampering and more quickly become aware if tampering has occurred.

If a retailer does not enact a complete PIN Pad Security program, including PIN Pad Security Best Practices, then they will remain vulnerable to this kind of tampering.

VeriFone recommends all retailers implement the following PIN PAD Security Best Practices immediately.

1. Immediately have a visual inspection performed on every device to look for potential signs of tampering. These include anything that does not look normal such as lack of tamper seals, damaged or altered tamper seals, mismatched keys, missing screws, incorrect keyboard overlays, external wires, holes in the terminal or anything else unusual. If anything out of the ordinary is noticed, stop using the device, disconnect it from the pos terminal or network, but do not power it down. Contact the security officer at the terminal manufacturer to determine the next steps. Continue to perform visual inspections weekly.
2. If your terminal contains an electronic serial number, have the electronic serial number compared to the serial number printed on the bottom of the terminal. If these do not match stop using the device, disconnect it from the pos terminal or network, but do not power it down. Contact the security officer at the terminal manufacturer to determine the next steps.
3. Develop a process to monitor devices that consistently do not work properly, such as high mag-stripe read failures or debit card declines. These can be indicators of tampered terminals. Contact the security officer at the terminal manufacturer to determine the next steps.
4. Store spare devices under lock and key to prevent unauthorized removal. Incorporate a shift change procedure to validate the inventory of devices at every shift to ensure none have disappeared.
5. Institute a procedure to track each instance in which a terminal is replaced within the store, whether from the in-store inventory, by a repair technician, or with units shipped into the store.
6. Implement a procedure to require all repair technicians who visit your stores to sign in, verify their identity with photo identification, and remain accompanied by store personnel during any work on PIN pads.
7. Review the installation of your PIN pads. They should be mounted on the counter; unplugging cables should require more than turning the unit over; and you may want to consider installing locking stands to prevent unauthorized removal. If you are interested, VeriFone has developed locking stands for the Everest, Omni 7X00 and MX800 Series products. Contact your VeriFone Account Executive for more details.
8. If the PIN Pad supports electronic serial numbers, implement a scheme to validate the PIN pad serial number every time the POS. starts up to insure the device has not been replaced, and if it has, automatically send an alert. If the device supports Ethernet connectivity, consider implementing a device management solution to track all in service devices.
9. Make sure the password for device access is not the original default password. If it is, have it changed, as default passwords become widely known. Contact your account executive if you need help changing this password.
10. Only obtain PIN pads from a manufacturer or manufacturer’s authorized partner. Unauthorized resellers, such as may be found online at sites such as eBay, may potentially sell devices that are already compromised, whether intentionally or unwittingly.
11. For similar reasons, have your PIN pads repaired at the manufacturer or an authorized manufacturer’s repair center that has completed a TG3 Key Injection audit.
12. Develop a response plan before you suspect you have had a terminal breach. Identify the steps you need to tale if you suspect a breach. Understand what to do to isolate your payment systems, and prevent future sensitive information loss. Have a list of who needs to be called including your local law enforcement, your acquiring bank, your processor, your security assessor if you use them and your payment system vendors. Make sure you have clear assignments for who needs to do what after a suspected attack and how you will respond. Designate one individual to lead this effort.

Taken together, these PIN Pad Security Best Practices should significantly reduce the risk of PIN Pad tampering and compromise. These practices are recommended to be followed even with the deployment of PCI approved PIN pads. Additional information can be found on VeriFone's Retail.

SecureRetailPayments.com

As new information becomes available or as breaches occur, this site will be updated with the latest information. If you would like to see information or links added to this website, please send an email toPaymentSecurity@VeriFone.com.

© 2011 All rights reserved. VeriFone, the VeriFone logo, NURIT, Omni, PAYware, Secura, SoftPay, Tranz, Verix, VeriShield, Vx and Xplorer are either trademarks or registered trademarks of VeriFone in the United States and/or other countries. The absence of a product or service name or logo from this list does not constitute a waiver of VeriFone's trademark or other intellectual property rights concerning that name or logo. All other trademarks or brand names are the properties of their respective holders. All features and specifications about VeriFone products and services are subject to change without notice.