Visa and MasterCard together form the Payment Card Industry (PCI) for securing PEDs (PIN entry devices). Late last year, specifications were released by the PCI for POS (point-of-sale) devices. Hence, PCI PED (Payment Card Industry PIN Entry Device) is a card association mandate, which now takes effect for all new credit card processing terminals.

PCI
PCI, comprising of a common set of industry tools and measurements to ensure safe handling of sensitive information and improve cardholders confidence, is a result of the combined efforts of major credit card associations. Conformance to these new standards is important. All big brands that produce credit card terminals such as Hypercom, VeriFone et all must subject their new products to the rigorous security certification by Visa/MasterCard PCI approved laboratories.

PCI PED (Payment Card Industry PIN Entry Device)
PCI PED is one of the different types of security under the PCI umbrella, and is an industry-changing mandate. This updated requirement is meant for manufacturers that sell PIN pads and terminals with internal PIN pads, setting technical specifications for them. It is a standard testing process that aims to standardize rules for each of the PCI members (Visa, MasterCard and JCB), making for cardholder security and providing faster time-to-market for financial institutions. With this new standard in place, there will be better control on how terminals process transactions.

After December 31, 2007, all device manufacturers are no longer authorized to sell Visa PED approved PIN entry devices for PIN-based transactions. Per January 1, 2008, all PIN entry devices sold must be PCI PED approved. However, no date has been as such declared for removal from operation of Visa-PED approved devices. Noncompliance could result in losses and card reissuing costs could be passed to the retailer in event of a PIN compromise. Penalties applied may include revoking of merchant service agreements.

How secure will PED specifications make POS devices? Simply put, no system is ever regarded as infallible, merely very strong. PCI PED may not be impossible to crack, but it would be a process that is not at all cost-effective, also being very time-consuming. Considering these facts and also that in the mean time there are going to be technological advances, PCI PED does not make absolute references to enforcing security, but refers to the amount of money required to circumvent this security.

PCI PED mandates that a PED should not only be tamper evident, but be tamper responsive. On detecting a tamper event, the device should instantaneously delete all critical information within it. PCI PED goes further in stipulating that the level of protection should be such that it should cost a criminal more than $25 000 per PED to circumvent these mechanisms.

PCI PED has been introduced to minimize the risk profile inherent in card transactions. Several noteworthy terminals that do not comply with the new PCI PED, are going to be discontinued. Merchants who don’t use the internal pin pad for PIN debit processing, have anything to worry about.