October 2009 Countdown to Compliance 2 Introduction This presentation is geared to merchant acquirers and ISOs in the financial services industry that sell to small to mid-sized merchants It is not designed for: Petroleum ISVs Multi-lane retailers VARs Transportation Retail Banking If youre in the petroleum space visit:If youre in the multi-lane retail space visit: 3 Agenda Breach Concerns What is PCI PED? Sample Scenarios VeriFones PCI PED Campaign V x Solutions and MX Solutions Overview Q&A 4 Why worry about a Breach? Industry research indicates that many merchants do not know much about security In fact, Visa research indicates that compliance was lowest among level 4 merchants According to industry research by Verizon, 81 percent of the organizations that experienced a breach were not Payment Card Industry (PCI) compliant, 75 percent of the breaches it investigated involved the retail (31 percent), financial services (30 percent) and food & beverage (14 percent) industries More than 80% of breaches since 2005 have happened at small merchants You only hear about the bigger breaches but smaller ones occur every day 5 Security Breaches In The News 6 What is PCI PED? PCI PED requirements are primarily concerned with device characteristics impacting the security of the PIN Entry Device used by the cardholder during a financial transaction. These rules are to protect the consumer from fraud. There are two factors involved in PCI PED requirements. Device characteristics the physical and logical security characteristics of the device that deter a physical attack on the devicefor example, the penetration of the device to determine its key(s) or to plant a PIN-disclosing bug within it or allowing the device to output a clear-text PIN-encryption key Device management considers how the PED is produced, controlled, transported, stored, and used throughout its lifecycle The deadline to remove PCI PED never approved devices from the market is July 1, Most of these devices were manufactured before 2004 Visa has issued a tentative removal date of Dec 2014 for all Visa PED approved devices 7 PED Approval Recap Manufacturers MUST NOT place for PIN after December 2007 And must be removed by December 2014 Merchants/Retailers Must Stop PIN use by July 2010 Never Approved Visa PED Approved PCI PED Approved Manufacturers MUST place for PIN entry after 12/2007 8 Timeline 9 Impact to the Retailer/Merchant There has been much confusion over the impact to a retailer who does not meet the Visa July 1, 2010 mandates for payment security To review, there are three different mandates from Visa that must be met by US merchants by July 1, These are: All never approved payment devices on which PIN debit transactions are conducted must be removed from service. This includes any terminal that is not either VISA PED or PCI PED. All debit card PINs must be encrypted in TDES from the payment device All applications that store, process, or transmit cardholder information must be PA-DSS or PABP compliant 10 Key Dates Visa has chosen to implement the following regulations in order to transition to PCI PED compliance: October 1, 2009 Acquirers must submit to Visa a summary TDES compliance status report and plan to achieve full compliance for sponsored attended POS activity July 1, 2010 All never approved devices must be removed from service July 1, 2010 If there is a breach of a never approved device after July 1, 2010, liability for the breach transfers from the issuer to the acquirer and the merchant. August 1, 2012 Acquirers may be assessed fines for sponsoring any non-TDES compliant merchants or agents 11 How do I upgrade by merchants? Replace never approved devices with higher-functioning devices Add a compliant PCI PED approved PIN Pad like the PP1000SE Use this opportunity as a way to add value to replace the older device Value added applications Gift card Loyalty PIN debit Faster devices Pay at the point of service 12 How to Upgrade Your Merchant - Sample Scenario Type of Retailer: Type of Retailer: Sports Memorabilia Vendor in Mall Scenario: Tim owns a sports memorabilia store in a busy mall. Accepting electronic payments for many years using an Omni 3210 countertop device Being able to accept credit and debit cards is a major plus for his business. Challenge: Has heard about more stringent security requirements which affect his Omni He calls his ISO rep who refers him to VeriFones PCI PED landing page where he finds a wealth of knowledge and easy to understand materials. He also realizes that technology has come a long way and decides that its time to upgrade to a wireless device to eliminate the expense of his phone line. 13 Achieve Compliance with the V x 510 GPRS Solution: Upgrade to a higher functioning and PCI PED compliant V x 510 GPRS for faster transactions and more flexibility Tim now has the peace of mind knowing that his V x 510 GPRS is compliant with the latest security requirements. Also has the added benefits of faster transactions and a mobile device The V x 510 GPRS accepts payments anywhere there is a power source which is great when Tim visits fairs or sets up a mall kiosk. He no longer needs to pay for an extra phone or DSL line which saves him additional money. The ability to accept PIN debit is another plus since debit transactions mean lower overall transaction costs for his business. 14 Merchant Scenario #2 Type of Retailer: Jewelry Store Scenario: Susie owns a successful jewelry store Accepting electronic payments for many years using a NURIT countertop device Being able to accept credit is a major plus for her business since most jewelry purchases are rather expensive. Challenge: She has heard about more stringent security requirements which affect her NURIT but is not concerned since she does not accept PIN debit After doing some research she realizes that by offering PIN debit to her customers, she could be saving money due to the lower transaction fees. Plus shes noticed that more people are using their debit cards due to the current economic conditions. 15 Merchant Scenario #2 - Conclusion Solution: Susie decides to upgrade to the V x 670 portable device It can be used anywhere in the store customers can pay right where they make their jewelry selection and do not have to walk across the store floor. Customers can complete their own transactions and do not have to give up their credit card which gives them peace of mind Susie has all the benefits of a portable device which comes in handy when she visits jewelry shows and fares Ability to accept PIN debit which means lower overall transaction costs. 16 Feature Expansion + Value Multiple Reasons to Focus on Latest Products Higher Value (More Bang for the Buck) Lower Cost of Ownership & Reliability Portability Taking payment to the Point of Service Customer Stickiness + Features Multiple application support Performance & Speed 17 Shift to Newer Technology Now Is The Time To Upgrade Your Merchants To A Higher Functioning Device Usability & Security Design Focused Speed & IP Performance 18 Pro-Actively Promote Security Educate against unsecure devices for transactions Secure terminals, even if no PIN Replace never approved devices before July 2010 Promote new PCI PED approved devices Promote End-to-End Data Encryption VeriShield Protect www.verifone.com/securitywww.verifone.com/security 19 VeriFones Position Created the PCI PED upgrade program to help our partners to remove never approved PIN pads and devices out of the market We want to help you leverage the opportunity to move merchants to a new VeriFone product (and even upgrade to a higher functioning device) and replace the old We believe at this phase, education is crucial 20 Campaign Overview The expired parking meter is our theme graphic and will be a graphic element on materials Program started July 2009 Education very important since topic is complex Creating Acquirer and Merchant specific information 21 Advertising Support Trade publication advertising for several months will support this campaign 22 Acquirer Collateral White Paper Flyer FAQs How to upsell your merchants Tool Kit (Interactive PDF) Product Upgrade Chart All materials are available on the landing pageAnd exclusive tools at the VeriFone Zone 23 Merchant Collateral Merchant Educational Package Easy to understand overview, product charts, frequently asked questions, additional resources Merchant Flyer One page sheets with key dates and deadlines Online Resources: PCI Security Council Merchant SAQ www.verifone.com/pciped (Merchant Tab)www.verifone.com/pciped 24 PCI PED Landing Page Breach Calculator Countdown clock Collateral White Paper Product Upgrade Chart Breach Calculator Countdown Clock Collateral White Paper 25 Breach Calculator ,000 26 PCI PED Compliance Chart This chart applies to countertop and mobile merchants 27 PCI PED Compliance Chart This chart applies to multi-lane retail devices 28 More Tools atAll the tools presented here today are available for download at the VeriFone Zone (www.verifonezone.com)www.verifonezone.com There is chart for all VeriFone products that are never approved and PCI PED approved as well as the recommended upgrade This piece is only available at the Zone 29 V x Solutions - A Platform for Now and for the Future Delivering Lower cost of sales, ownership and support Easy to understand up-sell strategy Opens new markets with little investment Complete line of products and solutions Compatibility Consistent user interface Consistent software base Consistent support needs PA DSS accepted applications PCI PED approved Part of a complete end-to-end encryption Security Performance High-speed processor Multi-application capabilities Many connectivity options 30 Compatibility Broadens Your Offering Consistency across form factors offers complete line of solutions for all market segments and customer needs Single function multi-application Fixed transportable portable Customer facing clerk facing More certifications than any other hardware provider make selling, installing, supporting, and expanding simpler 31 MX Family, Solutions for Multi-Lane Retailers offer a lower cost of ownership Customer facing payment solutions All built on a common, secure platform All run the same applications Share consistent user interfaces All are PCI PED approved Interchangeable and field-upgradable modules future-proof your investment 32 PIN Pad 1000SE Number one selling PIN pad in the industry! Easy to use PIN debit entry PCI PED approved to meet the latest standards for secure PIN entry Future-proof payment solution, fully updatable and compatible Provides the best protection against fraud for merchants and consumers; USB option provides another way to connect to a PC software program which minimizes cabling and countertop clutter 33 Additional Resources PCI PED website https://www.pcisecuritystandards.org/security_standards/ped/ind ex.shtml https://www.pcisecuritystandards.org/security_standards/ped/ind ex.shtml PCI PED list of approved devices https://www.pcisecuritystandards.org/security_standards/ped/pe dapprovallist.html https://www.pcisecuritystandards.org/security_standards/ped/pe dapprovallist.html VeriFone Security PageSecure Retail Paymentssolutions/retail/payment-trends-- security/secureretailpaymentscom.aspxhttp://www.verifone.com/industry- solutions/retail/payment-trends-- security/secureretailpaymentscom.aspx Visa b29ec9fcdb6f98ceddad92d3d b29ec9fcdb6f98ceddad92d3d 34 Questions? We want your feedback please complete the poll atDownload this presentation and the recording at Q&A Session