Why Your New #Chip-and-Pin Card Reader Might Not Be Ready For Use

verifone 520 2 lgWhoops - that chip and pin terminal you bought last year ahead of everyone else, to be ready for the new standards coming in October of this year, might not be completely ready.   In fact, it may have to be shipped to an authorized center to have certain encryption data “injected” into the terminal.   

What????   The salesman said it was ready?  Maybe so, but it still might have to be returned to an authorized secure service center to be injected with some unique data in order to be usable.   

The Point of Sale News (tm)  spoke with Beatta McInerny last week.  Ms. McInerny is the Business Development Manager of Payments for ScanSource POS and Barcode and has a background of ten years in the payment industry.  

We asked about the state of the industry and the availability of various credit card terminals, and also asked about the injection of encryption keys. 

First on equipment -  "there is somewhat of a backorder in the the industry.  The two largest manufacturers, Ingenico and Verifone, are ramping up.  The most popular models are the Verifone 915 and 925 for tier one and tier two (the largest of retailers), and also the Ingenico 250 and 480 models are available." 

As of last week, they had not personally had an EMV transaction take place.  "Processors are not taking them live yet."

Ms. McInerny remarked that she expected there to be more equipment issues in October.  " Don't think that all of a sudden there will be a flood of equipment available in the market."   "Retailers need to come up with a plan." 

Based on this  and comments from vendors like Verifone, retailers should consider getting a solution in place now - even if it is not exactly what they would like and then perhaps a year down the road, when the situation has eased, consider switching to another type of terminal.  Consumers are increasingly aware of chip-and-pin and are not going to be indifferent to using old, unsecure equipment.  Point-to-point encryption offers an excellent solution for retailers.  The device is external and the credit card data completely bypasses the POS solution.  While it may be slightly less convenient, it is vastly more secure than swiping a mag-stripe card through a keyboard reader. 

Moving on to Key Injection

Key Injection Service is the secure process  by which payment hardware (credit card terminal/ reader/ pin pad)  gets loaded with the encrypted  Debit and Data keys  which in effect “marries” the terminal to the merchant’s processor and bank to make the device functional and secure.   This process is mandated by PCI (Payment Card Industry) to mask and protect card holder data during the transaction.  A debit key is needed to scramble the pin data and a data key is needed to scramble card data.  A debit key is mandatory if a customer wants to accept debit cards.   Customers accepting only credit will not need key injection.(1)

Only an ESO (Encryption Service Organization) can perform the key injection service to be PCI compliant.  ScanSource is a certified ESO. scansource pos and barcode logo

Through this ESO designation, ScanSource provides key injection services in-house at its secure facility.  In addition to on-site key injection, its ESO certification allows them to provide remote key injection services from vendors such as Magtek and VeriFone.

A debit key encrypts the customer’s debit card personal identification number (PIN) when entered during the tender process at the point of sale. The debit key is loaded into the terminal by an ESO, like our key-injection facility, and allows the transaction terminal to complete a debit transaction by securely authenticating the PIN with the issuing bank.  This key is not used during a "credit" transaction where a signature is used for authentication or to encrypt the actual card data.  This key is always required if you are accepting debit transactions due to PCI standards.(1)
 
A Point-to-Point Encryption (P2PE) key encrypts the customer's card information when swiping a credit or debit card at the point of sale.  It is also commonly referred to a data key or end-to-end encryption (E2EE).  This works separately from the debit key.  P2PE keys are recommended but are not required by current PCI standards. P2PE keys lower the risk of unauthorized interception of sensitive card information during the transmission from the payment terminal to the payment processor.  P2PE keys must be injected through an ESO like debit keys.(1)
 
Ms. McInerny also pointed out that only about half of the equipment is being shipped with encryption, and at the same time, business is growing exponentially.   "Point-to-point encryption is an excellent solution because of its security. P2P is a great workaround and protects the merchants." 
"Resellers should empower the end user now, and not wait for the processors to tell them what to do."
 
Now - last key point - devices purchased last year, or early in 2015, may have been shipped without the final encrypted keys in place. 
 
Retailers should find out NOW if their device needs injection and make plans to either have it done remotely, or to ship their terminal to an authorized center.   Retailers with equipment should contact their own supplier about this.  Retailers who have changed banks or processors may also have to have their equipment re-injected with the new key.  

 

Written by

(1) - Source: ScanSource Key Injection Services

Some industry resource articles you might want to look at:

Visa - About Fraud Protection from Chip and Pin

Visa - Info on Breaches for Smaller Merchants

Verifone - Resources for merchants and retailers

Follow Us On Facebook - https://www.facebook.com/ThePOSNews

Tagged under EMV Chip and Pin,