The Payment Card Industry (PCI) - an alignment between Visa and MasterCard for securing PEDs (PIN entry devices) - released specifications for POS (point-of-sale) devices late last year. Specifications and compliancy dates applicable to ATMs are soon to follow.
When they do, says Benjamin Schaefer, Product Manager at JSE-listed trusted transactions company, Prism Holdings, there will be significant benefits to local banks, merchants and consumers who are hard pressed by unscrupulous criminals who make a career out of payment card fraud and theft.
He adds that existing POS devices will have to be replaced by 2010, which should not be an issue due to the generally accepted attrition cycle of seven years.
So what is PED and how does it differ from EMV, the payment card security standard, which has been making headlines around the world for several years?
"PCI PED and EMV are inextricably linked. Both were introduced to minimise the risk profile inherent in card transactions," says Schaefer.
EMV Level 1 certification focuses on the hardware used to read the card; EMV Level 2 certification is focused on ensuring the correct business rules are applied to the data made available from the card.
"However, with the EMV technology in place and with most EMV transactions requiring a PIN to accompany card usage, the only obvious avenue for criminals to commit fraud is to obtain both the victim`s PIN and the card. PINs are most commonly obtained through observation or under duress, while cards are typically swapped, pick-pocketed or taken under duress," he explains.
One of the most sophisticated - and common - ways in which thieves obtain a victim`s PIN is to install a tiny video camera above an ATM`s PINpad. It`s also not uncommon for thieves to tamper with an ATM to make it appear as if it has `swallowed` the victim`s card, and then later retrieve it.
"PED specifications address this level of security," Schaefer says. "For example, the issue of PIN observation is tackled through specific design recommendations that mandate the manufacturer provides `a means to deter the visual observation of PIN values`. This requirement can be achieved by using a privacy shield, a body block or limiting the viewing angle through design, with a polarising filter or a recessed PINpad."
How secure will PED specifications make ATMs or POS devices?
Schaefer points out that in cryptographic terms, no system is ever regarded as infallible, merely very strong - and no algorithm is regarded as impossible to crack, but rather not cost-effective to crack in a timely manner with foreseeable technology advances (based on Moore`s Law that processing power doubles every 18 months).
"So EMV makes reference to strong encryption, not infallible encryption and PCI PED does not make absolute references to enforcing security, but refers to the amount of money required to circumvent this security," he explains.
One of the major benefits of an EMV card is that if the algorithm is cracked and the keys are known, the criminal will only be able to create one EMV card to access one account. The technology and time required to achieve this is deemed high enough to not make this venture profitable to a criminal.
In the same vein, PCI PED mandates that a PED should, in addition to being tamper evident, be tamper responsive and on detecting a tamper event should immediately erase all sensitive data within it. PCI PED goes further in stipulating that the level of protection should be such that it should cost a criminal more than $25 000 per PED to circumvent these mechanisms.
"However, consumers must remember that no system is totally secure in the face of unscrupulous and extremely resourceful criminals," stresses Schaefer.
"So, even with EMV, PED and related technologies securing transactions, consumers must remain vigilant when using their cards," he concludes.
Share