Are you PCI compliant?
Printer-friendly versionThe PCI Data Security Standard (PCI DSS) is a set of standards for developing a robust payment card data security process. For those involved in the electronic payment world, its word is gospel. All merchants, large or small, must comply with PCI DSS requirements.
The requirements of PCI-DSS are as follows:
1. Do not retain full magnetic stripe, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data
2. Protect stored cardholder data
3. Provide secure authentication features
4. Log payment application activity
5. Develop secure payment applications
6. Protect wireless transmissions
7. Test payment applications to address vulnerabilities
8. Facilitate secure network implementation
9. Cardholder data must never be stored on a server connected to the Internet
10. Facilitate secure remote access to payment application
11. Encrypt sensitive traffic over public networks
12. Encrypt all non-console administrative access
13. Maintain instructional documentation and training programs for customers, resellers, and integrators.
These requirements are raising demand for PCI Compliant hardware and any PIN Entry Device must be certified to PCI PTS standards.
However, in the unattended environment, many low value transactions don’t require PIN and the number of unattended transactions where PIN isn’t a requirement is growing. These include: Parking transactions under €50, Vending transactions under €20, Transit and Toll Payments, Contactless Payments such as Visa PayWave and MasterCard PayPass, etc., etc.
In these environments, the use of a fully certified PCI PTS Chip and PIN device is expensive and a Hybrid Card Reader would do the job at a fraction of the price.
However, to comply with PCI DSS requirements, merchants can no longer rely on a card reader that allows access to sensitive card holder data. Hardware needs to be capable of allowing the merchant to meet the demands of PCI DSS.
“OEMs are seeing increasing demand from merchants to ensure that their terminals are ‘PCI Ready’. However, data encryption and key management issues can complicate the sale of unattended terminals and integration into merchant’s payment gateways,” said Steve Poulston, Managing Director, Magtek Europe.
Magtek Magnesafe I-65
Magtek is one of the companies which designs hardware to allow the sale of unattended terminals as ‘PCI Ready‘, removing the complexities of encryption and key management from the OEM. The company’s card readers encrypt data using open-standards encryption via 3DES/DUKPT from the moment the card is read, protecting against data theft and internal terminal data breaches.
The companies which lead the way in terms of card data security are the ones who look beyond mere compliance and provide additional card security features. As Bob Russo, General Manager of the PCI DSS, says, “We believe the PCI Security Standards provide a solid foundation for a security strategy to look after your payment and other types of data, but security does not start and end with compliance. Focus on good security and compliance will follow.”
Usability Workshop @ KEX 2012
