Category Archives: Merchant services

POS and PCI security requirements – Services Sekure Card

The purpose of this post is to highlight vendors with a list of all the security requirements against which their POS device setup will be evaluated in order to obtain Payment Card Industry (PCI) PIN Transaction Security (PTS) Point of Interaction (POI) device approval.

The requirements highlighted here are the minimum acceptable criteria for (PCI) acceptance. The PCI has defined these requirements using a risk-reduction methodology that identifies the entire set major risked associated with credit card data transactions requirements when measured against acceptable costs to design and manufacture POI solution.

Therefore these requirements do stem from a compromise between risks and costs and do not eliminate the possibility of fraud, but rather reduce its likelihood and minimize the scope of the credit card theft resulting from credit card fraud.

Evaluation Domains

This domain constitutes its physical and its logical location. The domain is the logical location that hosts the device and support the communication platform allowing POS devices to communicate transaction data across a network must support certain attributes that will protect from malicious hacking activities from perpetrating the fire wall and data access over a networked environment.

 The physical security

The physical security characteristics are those characteristics that provide the deterrent for physical attack on the device, for example, the physical location of the device to determine its key(s) or other security measures that are intended to protect the data from anyone unauthorized able to manipulate the POS terminal and or access to the servers or any component making up the logical domain where reconfiguration could compromise the devise or the security with communication or data security that make up the parts POI solution.

The logical security

The logical security characteristics include those characteristics that define the functional capabilities that limit access to the transaction information, so the devise can allow user to gain access to sensitive credit card data allowing any information required for card fraud to be possible.  For example, allowing the device to output a clear text PIN encryption key would compromise this card security making the decryption possible so PIN could be extracted from a credit card compromising its PIN security.

Many of the logical security requirements have minimum attack valuation and require good common sense and a good understanding of network security for the identification and initial exploitation of the device based upon factors such as attack time, and expertise and equipment required. Given the evolution of attack techniques and technology, the Associations will periodically review ensuring that these measures are appropriate.

Device Management

Device management considers how the device is produced, controlled, transported, stored and used throughout its life cycle within the organization. If the device is not properly managed, unauthorized modifications might be made to its physical or logical security characteristics making the information required to allow the devise to be compromised and the information contained within by a perpetrator .


Leave a comment

Filed under credit card theft, Merchant services

Credit card security – Services Sekure Card

A common and relatively easy theft using credit card fraud is wide-ranging because credit cards have become such a common and basic payment medium both online and in brick and mortar organizations and can involve many methods to perform fraudulent transactions. Everything from obtaining goods without paying to performing unauthorized funds transfers from an account can be performed relatively easily when credit cards go stolen. The Federal Trade Commission, reports that while identity theft had been on a steady rise with a 21 percent increase peak in 2008. It’s credit card fraud, that is the number one motivation associate with identification theft.

The cost associated with card fraud is estimated to make up .07 % of your merchant’s transaction rate costs. Although this cost is only a small fraction of a transaction due to the high volume of transactions this translates to billions of dollars and in 2006, fraud in the UK alone was estimated at US$750 million.

The methods of fraud can vary from the physical theft of the card to data theft the credit card account, that can include the card account number, pin number and validation numbers and all other information that is required for a legitimate transaction. The routes to compromising the card can easily be conducted without the card holder, the merchant or the issuer’s knowledge, at least until the account is ultimately used for fraud. From a store clerk simply copying sales receipts to the card information being scanned for duplication and Internet transactions where database and network security holes have cost millions credit card accounts can be compromised at various technical levels.

Weather lost or stolen credit cards remains usable until the card holder notifies the issuer of the theft. As such it is possible for a thief to make unauthorized purchases on a card until it is canceled by the issuer.

The first and most common measure on all cards is a signature panel, but this signatures has not been effective since they are relatively easy to forge. So newer measures of security have emerged where some credit cards include the holder’s picture on the card itself. But busy self-serve payment systems are common places where stolen cards are used where there is card holder’s identity verification.

Now most cards are equipped with an EMV chip which requires a 4 digit PIN to be entered in to the merchants terminal before payment will be authorized. However, a PIN isn’t required for online transactions in many self-serve payment systems so these measures although help curve the use of stolen cards don’t necessarily prevent stolen card transactions.

All Card issuers have built sophisticated countermeasures within their credit card transaction systems that can analyze and perform credit transaction risk estimation that calculate the probability of fraud. Systems that perform analysis of the many conditions surround transactions that may cause a flag to be raised if, for example, a large transaction occurring a great distance from the cardholder’s home might seem suspicious or a series of transactions might involves high risk un-verified transactions using self-serve payment systems. The merchant may be alerted to call the card issuer or the transaction may be declined altogether forcing the card holder to communicate with the issuer for verification.

Leave a comment

Filed under Credit card, credit card theft, Merchant services