Comments on: Visa Revokes PCI Approval From Ingenico PIN Pads Following Breach

By: Tim K

Tim K — Wed, 07 Jul 2010 21:14:22 +0000

Is there a re-certification date for PEDs as there is for Payment Applications? I’m wondering what happens when the retailer has to purchase 10,000 new POS devices because one of the devices compliance was revoked?

By: M. Dunn

M. Dunn — Wed, 07 Jul 2010 19:43:19 +0000

I’m still amazed that retailers are left footing the bill to secure Visa and M/C’s insecure(able) product!

As a software developer, I have to ensure this so-called “protected” data is never stored, and teach my customers how to securely use their computers…

Meanwhile, the data we’re protecting is in plain sight, embossed on the card. Not to mention, easily copied by a cheap, concealable device. If and when Chip & Pin is mandated (hopefully not, as it’s already been hacked), why do the retailers pay for them? Visa and M/C should be required to reimburse retailers who spend money to shore up the security of their product.

The very idea that a company could be sued by Visa and/or MC because of a data breach is absurd. It’s THEIR design flaw – period.

By: Cranston Snoard

Cranston Snoard — Mon, 05 Jul 2010 16:53:47 +0000

@tim elliot
In a simplistic world, yeah, it probably could have all been done in about 30 seconds. However, in the real world, companies do not change major environments over night. Many firms were implementing over a longer term because of either budgets, alignment with other plans to expand or change POS environments, or the extent of the efforts required to inject, test, and deploy new pinpads over a geographical territory that spans 5 times zones and has many remote locations.

And the re-injected pads that have now been decertified all now have to be replaced — but there are not sufficient stocks available to do so…

Besides the move to chip & pin isn’t about (only/mainly) security — it is also about forcing acceptance of the card brand debit cards, card brand loyalty programs, and use of the card brands networks with a higher fee structure rather than INTERAC… go do some reading of the fine print and you’ll comprehend what some of the real drivers are…

By: Tim Elliott

Tim Elliott — Mon, 05 Jul 2010 15:30:23 +0000

“…everyone is scrambling to find replacements in time to meet chip & pin deadlines…”

So by “scrambling”, you mean the 2-3 years that all merchants in Canada have known about chip and PIN requirements for the fall 2010 deadline?

By: Prefect

Prefect — Fri, 02 Jul 2010 01:25:15 +0000

When will the BS train surrounding PCI pull into the station?

By: Cranston Snoard

Cranston Snoard — Thu, 01 Jul 2010 20:12:06 +0000

VISA’s latest memo may finally have got it right, but all the previous memos from them and M/C starting in March (when this first came out more publicly) were quite vague and confusing. Yeah, they might have gotten this particular memo right, but you should see what came before it…

Yanking of the certification hasn’t taken into account the lack of availability of alternate compliant solutions. For example, in Canada there are over 200K Ingenico pinpads impacted by this decertification — and this decertification is occurring while many companies were working on having these previously certified pads injected to meet the VISA requirements to move to chip & pin by end of this year. So now everyone is scrambling to find replacements in time to meet chip & pin deadlines, and to meet the PCI requirements — yet the available stock of now compliant devices is probably less than 2% of the demand. Most of the new stock is only arriving from China in small shipments, and of those shipments were already ear-marked for customers before the Match announcements… many firms are now caught in PCI compliance limbo through no fault of their own.