Key MasterCard Deadline Nears for Wireless and IP Terminal Security

A major deadline set by MasterCard Worldwide to enhance the security of transactions originating at wireless and Internet Protocol point-of-sale payment terminals is approaching, but some in the industry say many firms that could be affected aren't paying attention. On Sept. 1, Purchase, N.Y.-based MasterCard will require that newly-installed wireless and IP terminals, including replacements, support encryption between the terminal and the merchant acquirer's host system using MasterCard-approved standards. Another big deadline comes Jan. 3, when MasterCard says all wireless and IP terminals deployed before Sept. 1 must be upgraded to support encryption. MasterCard launched the program last October with a security bulletin to its membership. But, in contrast to initiatives such as the Payment Card Industry data-security standard (PCI), a set of rules supported by all of the general-purpose card networks, MasterCard's wireless/IP program seems to have attracted little notice?so little that a software executive gave a presentation about it last week at the MidWest Acquirers Association annual conference in Chicago in hopes of building awareness among independent sales organizations, processors, and others in the acquiring community. “I'm of the general opinion that this isn't getting the kind of attention that it needs,” says the executive, Bill Clark, senior vice president of sales and marketing at Scottsdale, Ariz.-based Apriva, a wireless-applications developer. Merchant acquirers are responsible for implementing the program, but terminal-software and hardware makers, transaction gateways, and third-party processors all could be affected. A MasterCard spokesperson did not respond to Digital Transactions News inquiries this week. But the October bulletin notes that IP-enabled terminals are gaining popularity because of their “always-on” features, low communication costs, and easy integration with merchants' local area networks (LANs). But MasterCard also said such terminals are subject to various forms of attack that could compromise data. Risk can be compounded if IP terminals use such wide-area wireless technologies as general packet radio service (GPRS), code division multiple access (CDMA), and so-called third-generation (3G) systems, according to the bulletin. “A lot of these transactions run on public networks,” notes Clark, adding that while wireless and IP transactions generally are secure, encryption gaps do occur. And, according to Clark, a close reading of the bulletin shows that encryption is just one part of the standards. MasterCard also is looking to enhance authentication, reduce so-called repudiation to ensure that data really were sent during a transaction, ensure that data can't be modified without being detected, and also that data not be recorded and played back. “It's not that current systems aren't secure; they [MasterCard] are simply raising the bar,” Clark says. While Apriva estimates there are only about 150,000 wireless terminals in the U.S., their numbers are growing rapidly with the expansion of card payments in quick-service restaurants, stadiums, and other venues. One reason for low awareness of the standards may be that MasterCard isn't imposing fines for non-compliance. But one processing executive at the Chicago conference said that a data compromise traced to a non-compliant terminal could be subject to fines under PCI. The bank card associations levy such fines on acquirers, which could pass them on to the merchant or other liable party. MasterCard on April 1 began requiring acquirers to submit newly deployed wireless and IP terminals for compliance testing. That includes the software in the box, according to Clark. A MasterCard-endorsed testing firm is reviewing Apriva's software that runs in the Lipman Nurit 8000 mobile terminal, he says. Clark doesn't have an estimate on how much Apriva has spent to meet the standards, but says “it's been a significant focus for us this year.” Apriva currently is not charging clients for the compliance costs.