Visa’s PIN-Entry Bulletin Asks For Bluetooth Signal/Pairing Scans
Written by Evan SchumanSeptember 7th, 2011
When Visa issued new security guidelines this month to deal with compromised PIN-entry devices, it asked that retailers "periodically scan for any unidentified Bluetooth signals and pairings at store locations," a move that goes beyond current PCI requirements. Hints of a possible PCI 2.1 rule?
The September 1 Visa Bulletin was primarily to tell merchants that five VeriFone units (Everest Plus units P003-400-01, P003-400-02, P003-400-03, P003-400-12 and P003-400-013) have been ruled "susceptible to compromise" and were indeed "used in tampering and skimming attacks" in the U.S. The list had already included other VeriFone units plus one from Ingenico (the eN-Crypt 2400, also known as the C2000 Protégé) and two from Hypercom (S7S and S8).
This Story Is Only Available For Premium Subscribers. Click Or Login In Below To Read The Rest Of This Story.
Already a Subscriber? Login Here
3 Comments | Read Visa’s PIN-Entry Bulletin Asks For Bluetooth Signal/Pairing Scans
Leave a Reply
Readers, specifically those who want to comment on a story:
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk.com? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk.com? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
-Christine
September 8th, 2011 at 2:10 pm
One simple, inexpensive method to prevent such theft by replacement is to secure the terminal or PED to the counter with a lock down device requiring a manager with a key to unlock the device for service or swap out. We recommend securing BOTH terminal and PED because customers have had terminal stolen resulting in the thieves loading prepaid cards by running credits through the stolen terminal deducting the monies from the merchant’s checking account.
September 8th, 2011 at 6:00 pm
A simple bolt and two nuts tightened against each other, requiring a minute under the counter with a pair of wrenches to release, is also a cheap and effective deterrent.
But this scenario continues to highlight why any card technology that requires trusting the merchant terminals is inherently flawed. Sealed, bank-issued personal payment devices in a credit card form factor with an on-board authentication device and an air-gapped authorization method are the only way this arms race will end well. Everything else, including chip and pin, is just kicking the can down the street until the next flawed “great idea” is hacked.
September 13th, 2011 at 8:48 am
I believe the main points are being missed here. If I’m capable of replacing your PEDs, most likely I’m the manager or in charge of security in your store or affiliated with them.
It does not take 2 seconds to swipe out a PED, these people, especially with the Aldi situation had plenty of time and access to accomplish their feat. So the physical solution is not going to work.
In addition, just as well as fake handbags can be cloned, it is really easy to clone PED device with PVC machines over in Asia that look exactly like the PED and can still be intercepted before the machine can encrypt the card number at the magnetic swipe.
The only real solution is a multi-factor that allows real-time access to transcations to compare against real-time sales in store to verification.