March 9, 2009
-
Steps to Visa PCI Compliance, Pt.2
Credit card transaction hardware.When third-party software resellers install and configure the POS systems they're not aware of the danger of storing track data and other sensitive data. So they do not disable this feature during the install setup. They do not realize the vulnerability this places on credit card security. So Visa is strongly urging the retail owners themselves to grill their POS vendors in this area. It's well-known that mis-configured POS systems can easily contribute to credit card account compromise. This leaves the credit card holder vulnerable.
In addition to not storing unnecessary credit card data from their POS', Visa is also pressuring online merchants to encrypt PIN-based and CVV2 based credit card transactions within their POS systems. By July of next year, these actions will become mandatory. The minimum encryption standard is even being raised to the new Triple Data Encryption Standard.
New qualifications are also being imposed on credit card–transaction hardware. In order to protect against PIN skimming, POS devices must undergo an evaluation program at vulnerable POS locations. This program will require that all merchants use fully-compliant scanner and keypad entry devices. Hardware laboratories are being set up around the country to ensure that these devices comply to the triple DES standard in order to be Visa-approved.
The following are some of the guidelines that VISA is recommending to merchants who accept credit cards in order to protect the most sensitive data like PINs:
-
PCI PIN Security: Maintain fully, adherence to this standard at all times. Create a plan to make this happen.
-
Educate Employees: Designate employees who have access to POS terminals with a training certificate. Impress on them the accountability of credit card security, especially where PINs are involved. Have them always be on the alert for POS devices that are missing or have been tampered with. Create a checklist to frequently inventory them.
-