Why Your New #Chip-and-Pin Card Reader Might Not Be Ready For Use
Whoops – that chip and pin terminal you bought last year ahead of everyone else, to be ready for the new standards coming in October of this year, might not be completely ready. In fact, it may have to be shipped to an authorized center to have certain encryption data “injected” into the terminal.
What???? The salesman said it was ready? Maybe so, but it still might have to be returned to an authorized secure service center to be injected with some unique data in order to be usable.
The Point of Sale News ™ spoke with Beatta McInerny last week. Ms. McInerny is the Business Development Manager of Payments for ScanSource POS and Barcode and has a background of ten years in the payment industry.
We asked about the state of the industry and the availability of various credit card terminals, and also asked about the injection of encryption keys.
First on equipment – “there is somewhat of a backorder in the the industry. The two largest manufacturers, Ingenico and Verifone, are ramping up. The most popular models are the Verifone 915 and 925 for tier one and tier two (the largest of retailers), and also the Ingenico 250 and 480 models are available.”
As of last week, they had not personally had an EMV transaction take place. “Processors are not taking them live yet.”
Ms. McInerny remarked that she expected there to be more equipment issues in October. ” Don’t think that all of a sudden there will be a flood of equipment available in the market.” “Retailers need to come up with a plan.”
Based on this and comments from vendors like Verifone, retailers should consider getting a solution in place now – even if it is not exactly what they would like and then perhaps a year down the road, when the situation has eased, consider switching to another type of terminal. Consumers are increasingly aware of chip-and-pin and are not going to be indifferent to using old, unsecure equipment. Point-to-point encryption offers an excellent solution for retailers. The device is external and the credit card data completely bypasses the POS solution. While it may be slightly less convenient, it is vastly more secure than swiping a mag-stripe card through a keyboard reader.
Moving on to Key Injection
Key Injection Service is the secure process by which payment hardware (credit card terminal/ reader/ pin pad) gets loaded with the encrypted Debit and Data keys which in effect “marries” the terminal to the merchant’s processor and bank to make the device functional and secure. This process is mandated by PCI (Payment Card Industry) to mask and protect card holder data during the transaction. A debit key is needed to scramble the pin data and a data key is needed to scramble card data. A debit key is mandatory if a customer wants to accept debit cards. Customers accepting only credit will not need key injection.(1)
Only an ESO (Encryption Service Organization) can perform the key injection service to be PCI compliant. ScanSource is a certified ESO.
Through this ESO designation, ScanSource provides key injection services in-house at its secure facility. In addition to on-site key injection, its ESO certification allows them to provide remote key injection services from vendors such as Magtek and VeriFone.
Ms. McInerny also pointed out that only about half of the equipment is being shipped with encryption, and at the same time, business is growing exponentially. “Point-to-point encryption is an excellent solution because of its security. P2P is a great workaround and protects the merchants.”
(1) – Source: ScanSource Key Injection Services
Some industry resource articles you might want to look at:
Visa – About Fraud Protection from Chip and Pin
Visa – Info on Breaches for Smaller Merchants
Verifone – Resources for merchants and retailers
Follow Us On Facebook – https://www.facebook.com/ThePOSNews