Visa hosted a webinar to clarify its PIN pad data encryption policy on Sept 9 led by Ross Snailer and Stoddard Lambertson of Visa’s Payment Risk team, NACS reported.
According to Visa, all attended POS and kiosks must be Triple DES (TDES) compliant by July 1, 2010, but that fines to acquirers would not occur until Aug. 1, 2012.
This announcement provides retailers more time to adapt to the TDES POS mandates. Still, if retailers want to continue accepting PIN debit inside, they still must upgrade POS terminals, and the sooner they get started, the better.
“If a retailer was looking for the ‘drop dead’ date for upgrading POS to TDES, Aug. 2012 is it -but I recommend taking a sooner, rather than later approach,” said Michael Davis, NACS vice president of member services. “The popularity of PIN debit with consumers looking to protect their data and get away from living on credit makes upgrading POS a no-brainer. It’s usually less than $500 per POS to serve this consumer segment”.
In addition, Visa reiterated that fuel dispenser terminal PIN pads will not have to be TDES compliant by the July 2010 date, but must be at least Single DES (SDES) Derived Unique Key per Transaction (DUKPT) by that date.
Additionally, Visa stated that there is no “lights on” mandated date for TDES beyond the July 2010 date for SDES DUKPT or TDES, but noted that retailers would be liable for any breach related to using non-TDES technology after this date.
Visa will be monitoring the deployment of TDES during the next few quarters before it sets a TDES-only date.
“This is huge for our retailers, as many have expressed their inability to financially swallow PCI compliance, which costs an average location $20,000, and upgrading dispensers to TDES at an average cost of $3,000 per dispenser,” Davis said. “Our average site operator made $40,000 pre-tax last year. For them to invest in all mandates this year means operating at break-even. This allows retailers to take the more cost effective approach of installing TDES capable PIN pads during pump upgrade cycles, rather than a blitz.”
According to NACS surveys of retailers, many retailers were planning to shut off PIN debit at the fuel island and process debit transactions as “signature” debit transactions if forced to choose between upgrading or not.
“Our analysis of card costs has shown that signature debit, while much less secure for our customers, is now the same cost as PIN debit; but without the cost of having to upgrade PIN pads”, said Gray Taylor, payments consultant to NACS. “We are concerned that PIN debit interchange – which has risen an average of 15% on a compounded basis since 1996 – will price itself out of our market, and shift significant transaction share to Visa and MasterCard while eliminating access to new payment card concepts that bring competition to the card payment market. Of course, if the latest Maestro PIN debit interchange hike (78%) is any indication, EFT networks will price themselves out of our market without the TDES mandate.”
Beginning early this decade, Visa has published data security standards in order for PIN pad manufacturers to design and manufacture PIN pads with at least a minimum standard of security. The requirements for these standards have evolved to where Visa will be certifying PIN pads in the future for operation on all Visa networks (VisaNet and Interlink).
Visa noted that globally, standards bodies no longer recognize older PIN entry encryption standards such as Master/Session and, more recently, single DES (SDES) as sufficiently secure. Global bodies such as the International Organization for Standardization (ISO) and the American National Standards Institute (ANSI) have adopted triple DES (TDES) pin pads as the new data standard.