October 2009 Countdown to Compliance

2 Introduction This presentation is geared to merchant acquirers and ISOs in the financial services industry that sell to small to mid-sized merchants It is not designed for: –Petroleum ISVs –Multi-lane retailers –VARs –Transportation –Retail Banking If you’re in the petroleum space visit: If you’re in the multi-lane retail space visit:

3 Agenda Breach Concerns What is PCI PED? Sample Scenarios VeriFone’s PCI PED Campaign V x Solutions and MX Solutions Overview Q&A

4 Why worry about a Breach? Industry research indicates that many merchants do not know much about security In fact, Visa research indicates that compliance was lowest among level 4 merchants According to industry research by Verizon, 81 percent of the organizations that experienced a breach “were not Payment Card Industry (PCI) compliant,” 75 percent of the breaches it investigated involved the retail (31 percent), financial services (30 percent) and food & beverage (14 percent) industries More than 80% of breaches since 2005 have happened at small merchants You only hear about the bigger breaches but smaller ones occur every day

5 Security Breaches In The News

6 What is PCI PED? PCI PED requirements are primarily concerned with device characteristics impacting the security of the PIN Entry Device used by the cardholder during a financial transaction. These rules are to protect the consumer from fraud. There are two factors involved in PCI PED requirements. –Device characteristics – the physical and logical security characteristics of the device that deter a physical attack on the device—for example, the penetration of the device to determine its key(s) or to plant a PIN-disclosing “bug” within it or allowing the device to output a clear-text PIN-encryption key –Device management considers how the PED is produced, controlled, transported, stored, and used throughout its lifecycle The deadline to remove PCI PED ‘never approved’ devices from the market is July 1, –Most of these devices were manufactured before 2004 Visa has issued a tentative removal date of Dec 2014 for all Visa PED approved devices

7 PED Approval Recap Manufacturers MUST NOT place for PIN after December 2007 And must be removed by December 2014 Merchants/Retailers Must Stop PIN use by July 2010 Never Approved Visa PED Approved PCI PED Approved Manufacturers MUST place for PIN entry after 12/2007

8 Timeline

9 Impact to the Retailer/Merchant There has been much confusion over the impact to a retailer who does not meet the Visa July 1, 2010 mandates for payment security To review, there are three different mandates from Visa that must be met by US merchants by July 1, These are: –All never approved payment devices on which PIN debit transactions are conducted must be removed from service. This includes any terminal that is not either VISA PED or PCI PED. –All debit card PINs must be encrypted in TDES from the payment device –All applications that “store, process, or transmit cardholder information” must be PA-DSS or PABP compliant

10 Key Dates Visa has chosen to implement the following regulations in order to transition to PCI PED compliance: October 1, 2009 —Acquirers must submit to Visa a summary TDES compliance status report and plan to achieve full compliance for sponsored attended POS activity July 1, 2010 —All never approved devices must be removed from service July 1, 2010 — If there is a breach of a never approved device after July 1, 2010, liability for the breach transfers from the issuer to the acquirer and the merchant. August 1, 2012 —Acquirers may be assessed fines for sponsoring any non-TDES compliant merchants or agents

11 How do I upgrade by merchants? Replace never approved devices with higher-functioning devices Add a compliant PCI PED approved PIN Pad like the PP1000SE Use this opportunity as a way to add value to replace the older device –Value added applications Gift card Loyalty –PIN debit –Faster devices –Pay at the point of service

12 How to Upgrade Your Merchant - Sample Scenario Type of Retailer: Type of Retailer: Sports Memorabilia Vendor in Mall Scenario: Tim owns a sports memorabilia store in a busy mall. Accepting electronic payments for many years using an Omni 3210 countertop device Being able to accept credit and debit cards is a major plus for his business. Challenge: Has heard about more stringent security requirements which affect his Omni He calls his ISO rep who refers him to VeriFone’s PCI PED landing page where he finds a wealth of knowledge and easy to understand materials. He also realizes that technology has come a long way and decides that it’s time to upgrade to a wireless device to eliminate the expense of his phone line.

13 Achieve Compliance with the V x 510 GPRS Solution: Upgrade to a higher functioning and PCI PED compliant V x 510 GPRS for faster transactions and more flexibility Tim now has the peace of mind knowing that his V x 510 GPRS is compliant with the latest security requirements. Also has the added benefits of faster transactions and a mobile device –The V x 510 GPRS accepts payments anywhere there is a power source which is great when Tim visits fairs or sets up a mall kiosk. – He no longer needs to pay for an extra phone or DSL line which saves him additional money. –The ability to accept PIN debit is another plus since debit transactions mean lower overall transaction costs for his business.

14 Merchant Scenario #2 Type of Retailer: Jewelry Store Scenario: Susie owns a successful jewelry store Accepting electronic payments for many years using a NURIT countertop device Being able to accept credit is a major plus for her business since most jewelry purchases are rather expensive. Challenge: She has heard about more stringent security requirements which affect her NURIT but is not concerned since she does not accept PIN debit After doing some research she realizes that by offering PIN debit to her customers, she could be saving money due to the lower transaction fees. Plus she’s noticed that more people are using their debit cards due to the current economic conditions.

15 Merchant Scenario #2 - Conclusion Solution: Susie decides to upgrade to the V x 670 portable device It can be used anywhere in the store – customers can pay right where they make their jewelry selection and do not have to walk across the store floor. Customers can complete their own transactions and do not have to give up their credit card which gives them peace of mind Susie has all the benefits of a portable device which comes in handy when she visits jewelry shows and fares Ability to accept PIN debit which means lower overall transaction costs.

16 Feature Expansion + Value Multiple Reasons to Focus on Latest Products –Higher Value (“More Bang for the Buck”) –Lower Cost of Ownership & Reliability –Portability – Taking payment to the Point of Service –Customer Stickiness + Features Multiple application support –Performance & Speed

17 Shift to Newer Technology Now Is The Time To Upgrade Your Merchants To A Higher Functioning Device Usability & Security “Design Focused” Speed & IP “Performance”

18 Pro-Actively Promote Security Educate against unsecure devices for transactions –Secure terminals, even if no PIN –Replace never approved devices before July 2010 –Promote new PCI PED approved devices Promote End-to-End Data Encryption –VeriShield Protect –

19 VeriFone’s Position Created the PCI PED upgrade program to help our partners to remove never approved PIN pads and devices out of the market We want to help you leverage the opportunity to move merchants to a new VeriFone product (and even upgrade to a higher functioning device) and replace the old We believe at this phase, education is crucial

20 Campaign Overview The expired parking meter is our theme graphic and will be a graphic element on materials Program started July 2009 Education very important since topic is complex Creating Acquirer and Merchant specific information

21 Advertising Support Trade publication advertising for several months will support this campaign

22 Acquirer Collateral White Paper Flyer FAQs How to upsell your merchants Tool Kit (Interactive PDF) Product Upgrade Chart All materials are available on the landing page And exclusive tools at the VeriFone Zone

23 Merchant Collateral Merchant Educational Package –Easy to understand overview, product charts, frequently asked questions, additional resources Merchant Flyer –One page sheets with key dates and deadlines Online Resources: –PCI Security Council –Merchant SAQ – (Merchant Tab)

24 PCI PED Landing Page Breach Calculator Countdown clock Collateral White Paper Product Upgrade Chart Breach Calculator Countdown Clock Collateral White Paper

25 Breach Calculator ,000

26 PCI PED Compliance Chart This chart applies to countertop and mobile merchants

27 PCI PED Compliance Chart This chart applies to multi-lane retail devices

28 More Tools at All the tools presented here today are available for download at the VeriFone Zone ( There is chart for all VeriFone products that are never approved and PCI PED approved as well as the recommended upgrade –This piece is only available at the Zone

29 V x Solutions - A Platform for Now and for the Future Delivering Lower cost of sales, ownership and support Easy to understand “up-sell” strategy Opens new markets with little investment Complete line of products and solutions Compatibility Consistent user interface Consistent software base Consistent support needs PA DSS accepted applications PCI PED approved Part of a complete end-to-end encryption Security Performance High-speed processor Multi-application capabilities Many connectivity options

30 Compatibility Broadens Your Offering Consistency across form factors offers complete line of solutions for all market segments and customer needs –Single function  multi-application –Fixed  transportable  portable –Customer facing  clerk facing More certifications than any other hardware provider make selling, installing, supporting, and expanding simpler

31 MX Family, Solutions for Multi-Lane Retailers offer a lower cost of ownership Customer facing payment solutions All built on a common, secure platform All run the same applications Share consistent user interfaces All are PCI PED approved Interchangeable and field-upgradable modules future-proof your investment

32 PIN Pad 1000SE Number one selling PIN pad in the industry! Easy to use PIN debit entry PCI PED approved to meet the latest standards for secure PIN entry Future-proof payment solution, fully updatable and compatible Provides the best protection against fraud for merchants and consumers; USB option provides another way to connect to a PC software program which minimizes cabling and countertop clutter

33 Additional Resources PCI PED website ex.shtml ex.shtml PCI PED list of approved devices dapprovallist.html dapprovallist.html VeriFone Security Page Secure Retail Payments solutions/retail/payment-trends-- security/secureretailpaymentscom.aspxhttp:// solutions/retail/payment-trends-- security/secureretailpaymentscom.aspx Visa b29ec9fcdb6f98ceddad92d3d b29ec9fcdb6f98ceddad92d3d

34 Questions? We want your feedback – please complete the poll at Download this presentation and the recording at Q&A Session