Visa Revokes PCI Approval From Ingenico PIN Pads Following Breach

Written by Evan Schuman
July 1st, 2010

In a move that seems to reflect a very different PCI approach coming from Visa, the world’s largest card brand has ripped the PCI approval from two Ingenico PIN entry devices (PEDs) after a data breach. What makes this move especially interesting is how it undercuts two strongly held Visa positions, both in terms of publishing the names of vendors whose products are engaged in PCI naughtiness and in its position that no PCI-compliant retailer has ever been breached.

Behind all of this commotion are an increasing number of physical attacks against PEDs, sort of “cloners gone wild.” Many of the compromised units are older (a Visa memo said “many are more than 10 years old and were never evaluated by an independent lab or approved by Visa or PCI”), but some were in a Visa pre-PCI phase and some—and here’s where things get interesting—had actually been PCI approved.

(See Walter Conway’s related column: Trust Your Fellow Man, But Not A Tired Store Associate.)

Visa also pointed out that the attacks are quite fast, even with the PCI-compliant pads: “Surveillance footage shows that the suspects in most cases were able to remove and install a POS PED in less than one minute.”

Visa’s memo unmasked the latest naughty devices. In the “untested” category were four VeriFone units (PINpad 101, 201 and 2000 plus the Everest model P003-3xx), two Hypercom units (S7S and S8) and an Ingenico model (eN-Crypt 2400, also known as the C2000 Protégé). In addition, Ingenico had one pre-PCI unit (Ingenico: eN-Crypt 2100). The breached PCI-approved units were both from Ingenico: the i3070MP01 and the i3070EP01.

“As a precaution (and to prevent further deployments), the PCI SSC, in coordination with Ingenico, revoked the approval of these devices,” said the Visa memo, which also repeated anti-skimming advice, including several points that should be followed quite strictly. “Validating the identity of repair technicians. Authorized and validated repair technicians should be escorted and monitored. Periodically weighing the equipment and comparing it to vendors’ specification weight to identify the insertion of bugging devices. Many of these vulnerabilities can be addressed if terminals are deployed with a terminal authentication system. In this case, the host system continuously verifies the PED’s internal serial number and confirms that terminals are online and operating correctly. If a terminal is ever replaced with an unauthorized device (or is unplugged, as would be necessary to execute this attack), the host system would immediately be alerted to tampering.”

But unlike a story we ran earlier this month about Visa’s list of software applications that store prohibited data, this memo was not confidential. It was made public. With the software document, Visa strongly argued against the information being shared with retailers publicly. But this PED list was disclosed voluntarily by Visa. Why the change in attitude? Is telling retailers there are security problems in their environment now considered a good thing?

Perhaps even more intriguing is what this disclosure will do to Visa’s oft-stated position that no PCI-compliant retailer has ever been breached. One of the key elements to being a PCI-compliant chain is housing only PCI-compliant equipment. Will Visa and PCI be issuing a blanket get-out-of-PCI-jail-free card for any merchants who were breached because they relied on a PCI-sanctioned device?

And what’s behind that compliance revocation? Was the device tested improperly? It seems unlikely that no one would have thought to test a PED for a physical skimming attack, which has been a thief favorite for far more than a decade. Did the test not factor in the latest attack’s methodology?

This time, we have to applaud Visa. Its latest memo gets it right on just about every count. It’s public; it explicitly discloses the names and models of the breached devices; it includes concrete advice on preventing this type of attack; and it encourages retailers to quickly move to machines still on the compliant list. The only thing it doesn’t say is that Visa will have a chain’s back if those PCI-approved devices later get breached.


6 Comments | Read Visa Revokes PCI Approval From Ingenico PIN Pads Following Breach

  1. Cranston Snoard Says:

    VISA’s latest memo may finally have got it right, but all the previous memos from them and M/C starting in March (when this first came out more publicly) were quite vague and confusing. Yeah, they might have gotten this particular memo right, but you should see what came before it…

    Yanking of the certification hasn’t taken into account the lack of availability of alternate compliant solutions. For example, in Canada there are over 200K Ingenico pinpads impacted by this decertification — and this decertification is occurring while many companies were working on having these previously certified pads injected to meet the VISA requirements to move to chip & pin by end of this year. So now everyone is scrambling to find replacements in time to meet chip & pin deadlines, and to meet the PCI requirements — yet the available stock of now compliant devices is probably less than 2% of the demand. Most of the new stock is only arriving from China in small shipments, and of those shipments were already ear-marked for customers before the Match announcements… many firms are now caught in PCI compliance limbo through no fault of their own.

  2. Prefect Says:

    When will the BS train surrounding PCI pull into the station?

  3. Tim Elliott Says:

    “…everyone is scrambling to find replacements in time to meet chip & pin deadlines…”

    So by “scrambling”, you mean the 2-3 years that all merchants in Canada have known about chip and PIN requirements for the fall 2010 deadline?

  4. Cranston Snoard Says:

    @tim elliot
    In a simplistic world, yeah, it probably could have all been done in about 30 seconds. However, in the real world, companies do not change major environments over night. Many firms were implementing over a longer term because of either budgets, alignment with other plans to expand or change POS environments, or the extent of the efforts required to inject, test, and deploy new pinpads over a geographical territory that spans 5 times zones and has many remote locations.

    And the re-injected pads that have now been decertified all now have to be replaced — but there are not sufficient stocks available to do so…

    Besides the move to chip & pin isn’t about (only/mainly) security — it is also about forcing acceptance of the card brand debit cards, card brand loyalty programs, and use of the card brands networks with a higher fee structure rather than INTERAC… go do some reading of the fine print and you’ll comprehend what some of the real drivers are…

  5. M. Dunn Says:

    I’m still amazed that retailers are left footing the bill to secure Visa and M/C’s insecure(able) product!

    As a software developer, I have to ensure this so-called “protected” data is never stored, and teach my customers how to securely use their computers…

    Meanwhile, the data we’re protecting is in plain sight, embossed on the card. Not to mention, easily copied by a cheap, concealable device. If and when Chip & Pin is mandated (hopefully not, as it’s already been hacked), why do the retailers pay for them? Visa and M/C should be required to reimburse retailers who spend money to shore up the security of their product.

    The very idea that a company could be sued by Visa and/or MC because of a data breach is absurd. It’s THEIR design flaw – period.

  6. Tim K Says:

    Is there a re-certification date for PEDs as there is for Payment Applications? I’m wondering what happens when the retailer has to purchase 10,000 new POS devices because one of the devices compliance was revoked?


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.