Visa Revokes PCI Approval From Ingenico PIN Pads Following Breach
Written by Evan SchumanIn a move that seems to reflect a very different PCI approach coming from Visa, the world’s largest card brand has ripped the PCI approval from two Ingenico PIN entry devices (PEDs) after a data breach. What makes this move especially interesting is how it undercuts two strongly held Visa positions, both in terms of publishing the names of vendors whose products are engaged in PCI naughtiness and in its position that no PCI-compliant retailer has ever been breached.
Behind all of this commotion are an increasing number of physical attacks against PEDs, sort of “cloners gone wild.” Many of the compromised units are older (a Visa memo said “many are more than 10 years old and were never evaluated by an independent lab or approved by Visa or PCI”), but some were in a Visa pre-PCI phase and some—and here’s where things get interesting—had actually been PCI approved.
(See Walter Conway’s related column: Trust Your Fellow Man, But Not A Tired Store Associate.)
Visa also pointed out that the attacks are quite fast, even with the PCI-compliant pads: “Surveillance footage shows that the suspects in most cases were able to remove and install a POS PED in less than one minute.”
Visa’s memo unmasked the latest naughty devices. In the “untested” category were four VeriFone units (PINpad 101, 201 and 2000 plus the Everest model P003-3xx), two Hypercom units (S7S and S8) and an Ingenico model (eN-Crypt 2400, also known as the C2000 Protégé). In addition, Ingenico had one pre-PCI unit (Ingenico: eN-Crypt 2100). The breached PCI-approved units were both from Ingenico: the i3070MP01 and the i3070EP01.
“As a precaution (and to prevent further deployments), the PCI SSC, in coordination with Ingenico, revoked the approval of these devices,” said the Visa memo, which also repeated anti-skimming advice, including several points that should be followed quite strictly. “Validating the identity of repair technicians. Authorized and validated repair technicians should be escorted and monitored. Periodically weighing the equipment and comparing it to vendors’ specification weight to identify the insertion of bugging devices. Many of these vulnerabilities can be addressed if terminals are deployed with a terminal authentication system. In this case, the host system continuously verifies the PED’s internal serial number and confirms that terminals are online and operating correctly. If a terminal is ever replaced with an unauthorized device (or is unplugged, as would be necessary to execute this attack), the host system would immediately be alerted to tampering.”
But unlike a story we ran earlier this month about Visa’s list of software applications that store prohibited data, this memo was not confidential. It was made public. With the software document, Visa strongly argued against the information being shared with retailers publicly. But this PED list was disclosed voluntarily by Visa. Why the change in attitude? Is telling retailers there are security problems in their environment now considered a good thing?
Perhaps even more intriguing is what this disclosure will do to Visa’s oft-stated position that no PCI-compliant retailer has ever been breached. One of the key elements to being a PCI-compliant chain is housing only PCI-compliant equipment. Will Visa and PCI be issuing a blanket get-out-of-PCI-jail-free card for any merchants who were breached because they relied on a PCI-sanctioned device?
And what’s behind that compliance revocation? Was the device tested improperly? It seems unlikely that no one would have thought to test a PED for a physical skimming attack, which has been a thief favorite for far more than a decade. Did the test not factor in the latest attack’s methodology?
This time, we have to applaud Visa. Its latest memo gets it right on just about every count. It’s public; it explicitly discloses the names and models of the breached devices; it includes concrete advice on preventing this type of attack; and it encourages retailers to quickly move to machines still on the compliant list. The only thing it doesn’t say is that Visa will have a chain’s back if those PCI-approved devices later get breached.
-Marc
July 1st, 2010 at 4:12 pm
VISA’s latest memo may finally have got it right, but all the previous memos from them and M/C starting in March (when this first came out more publicly) were quite vague and confusing. Yeah, they might have gotten this particular memo right, but you should see what came before it…
Yanking of the certification hasn’t taken into account the lack of availability of alternate compliant solutions. For example, in Canada there are over 200K Ingenico pinpads impacted by this decertification — and this decertification is occurring while many companies were working on having these previously certified pads injected to meet the VISA requirements to move to chip & pin by end of this year. So now everyone is scrambling to find replacements in time to meet chip & pin deadlines, and to meet the PCI requirements — yet the available stock of now compliant devices is probably less than 2% of the demand. Most of the new stock is only arriving from China in small shipments, and of those shipments were already ear-marked for customers before the Match announcements… many firms are now caught in PCI compliance limbo through no fault of their own.
July 1st, 2010 at 9:25 pm
When will the BS train surrounding PCI pull into the station?
July 5th, 2010 at 11:30 am
“…everyone is scrambling to find replacements in time to meet chip & pin deadlines…”
So by “scrambling”, you mean the 2-3 years that all merchants in Canada have known about chip and PIN requirements for the fall 2010 deadline?
July 5th, 2010 at 12:53 pm
@tim elliot
In a simplistic world, yeah, it probably could have all been done in about 30 seconds. However, in the real world, companies do not change major environments over night. Many firms were implementing over a longer term because of either budgets, alignment with other plans to expand or change POS environments, or the extent of the efforts required to inject, test, and deploy new pinpads over a geographical territory that spans 5 times zones and has many remote locations.
And the re-injected pads that have now been decertified all now have to be replaced — but there are not sufficient stocks available to do so…
Besides the move to chip & pin isn’t about (only/mainly) security — it is also about forcing acceptance of the card brand debit cards, card brand loyalty programs, and use of the card brands networks with a higher fee structure rather than INTERAC… go do some reading of the fine print and you’ll comprehend what some of the real drivers are…
July 7th, 2010 at 3:43 pm
I’m still amazed that retailers are left footing the bill to secure Visa and M/C’s insecure(able) product!
As a software developer, I have to ensure this so-called “protected” data is never stored, and teach my customers how to securely use their computers…
Meanwhile, the data we’re protecting is in plain sight, embossed on the card. Not to mention, easily copied by a cheap, concealable device. If and when Chip & Pin is mandated (hopefully not, as it’s already been hacked), why do the retailers pay for them? Visa and M/C should be required to reimburse retailers who spend money to shore up the security of their product.
The very idea that a company could be sued by Visa and/or MC because of a data breach is absurd. It’s THEIR design flaw – period.
July 7th, 2010 at 5:14 pm
Is there a re-certification date for PEDs as there is for Payment Applications? I’m wondering what happens when the retailer has to purchase 10,000 new POS devices because one of the devices compliance was revoked?