pin pad best practices webinar

1. PIN Pad Best PracticesWebinar Jeff Wakefield Vice President of Marketing Integrated Systems VeriFone February 26, 2007

3. Introduction Recent PIN Pad Tampering Disclosures Have Not Involved VISA PED Approved Terminals PCI PED Approved Terminals VeriFone�s Current Integrated PIN Pad Offering is Secure PIN Pad 1000SE SC5000 PIN Pad Everest Plus OMNI 7000 OMNI 7100 MX800 Series

4. Security Breaches Continue��.

5. And the Industry Remains Unprepared As of December 12, 2006: 1,200 Level 1 & 2 Merchants Process Minimum of 1 Million Transactions Per Year Only 36% of Level 1 Merchants Are Compliant Only 15% of Level 2 Merchants Are Compliant

6. State of Payment Industry Security The Problems: Organized Crime has Learned to Hack Taking Advantage of Security Deficiencies Using the Internet to Mask their Activity Lack of Detection provides 6-8 Month Edge Hack to Distribution Time is Decreasing Recent Case: 1 Day from Hack to Over $200K Deep Understanding of POS Systems Focus on Track Data and ATM PINs Operate in Multi Countries Simultaneously Websites with Tools & POS Information Wide Availability of �Unapproved� PIN Pads Penalties Less Severe Than Other Profitable Crimes Like Drugs

7. The Problems: Security Standards are Still Propagating Small Merchant Population Still Unaware Integrators Lack Security Know-How Many Non-Compliant POS Systems Still Exist New Effort for Payment Application Developers Achieving Compliance can be costly �Unapproved� PIN Pad Terminals are Still Deployed Security is only as strong as the weakest link in the chain State of Payment Industry Security

8. Street Prices Of Card Information

9. How Are Bugs Installed? PIN Pads Purchased on the Used Market, or PIN Pads Removed from Retailer Location Bugs Are Inserted PIN Pads Re-installed at Retailer Location

10. How is Compromised Data Recovered?

11. Current Payment Security Standards PED, VISA PED, PCI PED Applies to the Payment Terminal Only PIN Security Program Applies to end to end management and encryption of keys PCI DSS Applies to the Retailer�s Entire System VISA CISP, MasterCard SDP, Amex DSOP, Discover DISC Applies to the Entire System Requires PCI DSS PABP Applies to purchased software applications Not Currently Required for PCI DSS or Association Standards Required By Some Acquirers

12. PIN Entry Devices Currently there are three types PIN Entry Devices (PED) in use Non-Approved Devices (Pre 2004) VISA PED Approved Devices (2003 � 2006) PCI PED Approved Devices (2006 onwards) Two Other Categories EPP � Encrypting PIN PAD Modules Used in Self Service Devices Kiosks, Gas Pumps, Ticketing Machines, etc. ATM � Automated Teller Machines The Major Card Associations Support the Same Requirements

13. Non-Approved PIN Entry Devices These devices have never been tested Examples: Omni 490, Everest (*) Manufacture�s Can Not Sell After September 30, 2004 Retailer�s Must Remove From Service By June 30, 2010 Penalty For Non-Compliance Acquirers not covered in the event of a PIN Compromise Loss & Card Reissue Costs Likely to be Passed to Retailer Liable for Penalties per Association Operating Regulations Card Associations Could Revoke Merchant Services Agreement (* Contact Your Account Executive to determine your version)

14. VISA PED Approved PIN Entry Devices Currently Being Sold, Installed and Used by Retailers Examples Everest Plus*, Omni 7000 Required for Manufacturer�s to Sell After January 1, 2004 Manufacturers Can Not Sell After December 31, 2007 Retailer�s Can Purchase Before 12/31/2007 and deploy later There is no Sunset Date for Retailers to Remove from Service (* Contact Your Account Executive to determine your version)

15. Deployment After December 31, 2007

16. Deployment After December 31, 2007

17. Pre-PCI Approved Device Sunset Date

18. PCI PED Approved PIN Entry Devices Currently Being Sold, Installed and Used by Retailers More stringent than VISA-PED [Replaces VISA-PED] Tamper responsiveness - active security Expanded lab freedom to pursue sophisticated attack certification testing Examples MX830, MX850, MX870 All Newly Introduced Devices Must be Certified Against this Standard Required for Manufacturer�s to Sell After January 1, 2008 Manufacturers Can Not Sell After April 1, 2014 There is no Sunset Date for Retailers to Remove from Service

19. PCI PED 1.3 Requirements Tamper Protection Cryptographic Control of Prompting Prevent PIN Monitoring Deter Visual Observation of PIN Entry Not Practical to Build a Duplicate PED Logical Software Security Against Tampering Authentication of Software Applications No Unnecessary Storage of Sensitive Data DUKPT Keys or Fixed Key Security Encryption & Key Management Requirements Credit Card Reader Security Manufacturing Security & Process Requirements Shipping Security & Process Requirements

20. VeriFone PCI PED Certified Devices

21. Approved PIN Entry Devices

22. PIN Pad Best Practices Immediately perform a visual inspection on every terminal. If the inspector notices anything that looks out of the ordinary, have the unit checked by an authorized repair facility. Have the inspector verify that the serial number printed on the bottom of the terminal matches the internally stored serial number. Immediately remove from service any devices where these serial numbers do not match. Implement a procedure to require all repair technicians who visit your stores log in, verify their identity, and do not allow them to work on PIN Pads unaccompanied. Review the installation of your PIN Pads. They should be mounted on the counter, unplugging cables should require more than turning the unit over, and you may want to consider locking stands. If you are interested, VeriFone is developing locking stands. Contact your VeriFone Account Executive for more details.

23. PIN Pad Best Practices Review your POS to PIN Pad terminal interface to determine if it tracks or identifies the serial number of the attached PIN pad. If not, consider implementing such a software security scheme. Only purchase PIN pads from a manufacturer or manufacturer�s authorized partner. Unauthorized resellers, such as may be found online at sites such as EBAY, may potentially sell devices that are already compromised, whether intentional or unwittingly. For similar reasons, have your PIN Pads repaired at the manufacturer or an authorized manufacturer�s repair center which has completed a TG3 Key Injection audit.

24. PIN Pad Best Practices You Must Develop a Response Plan! Ensure you know what to do in the event an attack is identified Determine If You Can Respond, or if a Third Party is Required You must be able to answer: How do we respond? Who is in charge of our response? Internal Systems External notifications Do we have records of changes to the environment? What �real� response capabilities do our internal teams have? When do we need to involve outside experts? Who do we call first?

25. VeriFone Payment Security Products PIN Pad Security Audit Secure Terminal Retirement VisualPayments Device Solutions Locking PIN Pad Stands

26. PIN Pad Security Audit Terminal Security Audit & Cleaning Retailer Purchases Seed Stock of Terminals Terminals Sent to VeriFone Repair Facility List of Terminals Sent to VeriFone, or Terminal List Created as Terminals Received Call Tags Issued for Return to VeriFone, or Retailer Manages Return to VeriFone Terminal Serial Numbers Captured PIN Pad Audited for Evidence of Tampering Terminals Cleaned and Returned to Stores Report Sent to Retailer Contact VeriFone Account Executive for Details

27. Secure Terminal Retirement Terminal Destruction and Environmental Recycling Terminals Sent to VeriFone Repair Facility List of Terminals Sent to VeriFone, or Terminal List Created as Terminals Received Call Tags Issued for Return to VeriFone, or Retailer Manages Return to VeriFone Terminal Serial Numbers Captured Secure Chip Drilled to eliminate keys Terminals Crushed and Recycled Report Sent to Retailer Contact VeriFone Account Executive for Details

28. VisualPayments� Device Solutions Device Solutions is Part of Visual Payments Suite Available for MX800 Series Products Detects and Alerts PIN Pad Removal & Installation Insures Proper Operating System and Software are Installed Also Supports Remote Diagnostics and Support Contact VeriFone Account Executive for More Details

29. Locking PIN Pad Stands Prevents Unauthorized Removal & Replacement of PIN Pads Contact Your Account Executive for More Details

30. VeriFone Security Website To Be Launched This Week News Articles VeriFone PIN Pad Best Practices ATMIA Best Practices for POS Security Links to Association Security Web Sites Status of VeriFone Products Link to Webinar for Replay PIN Pad Best Practices Presentation VeriFone PCI Security Presentation Email PaymentSecurity@VeriFone.com for Mailing List

31. VeriFone Retail Payments Conference

32. Questions? Jeff Wakefield Vice President of Marketing Integrated Systems VeriFone 300 South Park Place Blvd. Clearwater, FL 33769 727-953-4484 Jeff_W7@VeriFone.com