Digital Transactions Authoritative, insightful and timely information for payments professionals
The PCI Security Standards Council this week said it would extend the reach of its rules for PIN-entry devices (PEDs) to cover unattended payment terminals such as pay-at-the-pump gasoline dispensers, kiosks, and vending machines. The extension also affects devices called hardware or host security modules (HSMs), which are secure cryptographic devices that can be used for translating PINs, card personalization, electronic commerce, or data protection and do not include any type of cardholder interface. HSMs typically reside at merchant-acquirer locations. The PCI Council hasn't yet set a deadline for when the PED extensions will take effect, but it expects to publish requests for comment this month and come out with more details later this year, according to a spokesperson for the Wakefield, Mass.-based body that administers the Payment Card Industry data-security standard. Payment security technology consultant David Taylor, founder of Stamford, Conn.-based PCI Knowledge Base, says executives from oil companies and convenience-store chains that he has talked with recently expect the standards to take effect in 2010. “It's a real serious mandate,” says Taylor. The PED rules are specifically tailored security standards for hardware and software that processes the PINs customers enter into ATMs and debit card-accepting point-of-sale terminals. The PCI Council took over administration of PIN-entry security standards from the card networks Visa Inc., MasterCard Inc., and JCB last September. But full extension of PED security to all hardware and software that processes PINs has been a gradual process, Taylor notes. According to Taylor, automated fuel dispensers tend to have a low level of PCI compliance, in large part because they are complicated pieces of machinery with payment-card acceptance being just one of their functions. And until now, the card networks, which enforce the PCI rules, haven't given the devices high priority because few pumps have Internet connections that create opportunities for hackers. “With the risk relatively low, compliance has been allowed to be relatively low, but this is changing,” he says. Getting fuel dispensers to meet PED standards could be a costly affair, depending on whether both hardware and software changes are needed. A software upgrade alone could cost as little as $50 to $100 per device, but Taylor says oil and c-store executives foresee total costs of $1,000 to $1,500 to retrofit an existing fuel dispenser. Spokespersons for two big fuel-pump manufacturers, Dresser Inc. and Gilbarco Veeder-Root, did not return Digital Transactions News calls for comment. Meanwhile, USA Technologies Inc., the Malvern, Pa.-based provider of the ePort line of contactless and magnetic-stripe card readers for vending machines, expects no changes to its operations because of the coming PED standards. “We don't have a PED issue because we don't do PIN debit,” says Bruce Shirey, vice president of ePort services. He adds, however, “our whole back end is under PCI DSS compliance.” The PCI spokesperson says the extension of the PED rules to unattended devices reflects the growing number of locations and devices that accept payment cards. As part of the extension, PED systems to be used in unattended terminals and HSMs must be tested by approved laboratories. And as it does with other classes of hardware and software vendors, the PCI Council will maintain a list of approved unattended payment devices and HSMs.
