Behind all of this commotion are an increasing number of physical attacks against PEDs, sort of "cloners gone wild." Many of the compromised units are older (a Visa memo said "many are more than 10 years old and were never evaluated by an independent lab or approved by Visa or PCI"), but some were in a Visa pre-PCI phase and some—and here's where things get interesting—had actually been PCI approved.
(See Walter Conway's related column: Trust Your Fellow Man, But Not A Tired Store Associate.)
Visa also pointed out that the attacks are quite fast, even with the PCI-compliant pads: "Surveillance footage shows that the suspects in most cases were able to remove and install a POS PED in less than one minute."
Visa's memo unmasked the latest naughty devices. In the "untested" category were four VeriFone units (PINpad 101, 201 and 2000 plus the Everest model P003-3xx), two Hypercom units (S7S and S8) and an Ingenico model (eN-Crypt 2400, also known as the C2000 Protégé). In addition, Ingenico had one pre-PCI unit (Ingenico: eN-Crypt 2100). The breached PCI-approved units were both from Ingenico: the i3070MP01 and the i3070EP01.
"As a precaution (and to prevent further deployments), the PCI SSC, in coordination with Ingenico, revoked the approval of these devices," said the Visa memo, which also repeated anti-skimming advice, including several points that should be followed quite strictly. "Validating the identity of repair technicians. Authorized and validated repair technicians should be escorted and monitored. Periodically weighing the equipment and comparing it to vendors' specification weight to identify the insertion of bugging devices. Many of these vulnerabilities can be addressed if terminals are deployed with a terminal authentication system. In this case, the host system continuously verifies the PED's internal serial number and confirms that terminals are online and operating correctly. If a terminal is ever replaced with an unauthorized device (or is unplugged, as would be necessary to execute this attack), the host system would immediately be alerted to tampering."
But unlike a story we ran earlier this month about Visa's list of software applications that store prohibited data, this memo was not confidential. It was made public. With the software document, Visa strongly argued against the information being shared with retailers publicly. But this PED list was disclosed voluntarily by Visa. Why the change in attitude? Is telling retailers there are security problems in their environment now considered a good thing?
Perhaps even more intriguing is what this disclosure will do to Visa's oft-stated position that no PCI-compliant retailer has ever been breached. One of the key elements to being a PCI-compliant chain is housing only PCI-compliant equipment. Will Visa and PCI be issuing a blanket get-out-of-PCI-jail-free card for any merchants who were breached because they relied on a PCI-sanctioned device?
And what's behind that compliance revocation? Was the device tested improperly? It seems unlikely that no one would have thought to test a PED for a physical skimming attack, which has been a thief favorite for far more than a decade. Did the test not factor in the latest attack's methodology?
This time, we have to applaud Visa. Its latest memo gets it right on just about every count. It's public; it explicitly discloses the names and models of the breached devices; it includes concrete advice on preventing this type of attack; and it encourages retailers to quickly move to machines still on the compliant list. The only thing it doesn't say is that Visa will have a chain's back if those PCI-approved devices later get breached.