Transcript Secure PumpPAY Update

[Customer
Logo
Here]
Introducing Secure PumpPAY
A Payment Security solution for your
existing fuel dispensers from VeriFone
[Your Company Name Here]
Discussion Topics
•
•
•
Why Secure PumpPAY  Why now
What our customers are telling us
Overview of Secure PumpPAY features
•
•
•
•
•
•
Dispenser retrofit kit options available
Understanding your fuel dispenser PCI options
Common Misconceptions – Information you need to Know
What to expect during installation
Other PCI-related solutions you should consider
Questions
Why Secure PumpPAY, Why Now?
Convergence of three key attributes:
•
Card usage sharply increased at the pump
•
PCI standards and dates have been cemented
•
Improved security at retail stores and restaurants has exposed our
industries vulnerability
•
Over 1 million fueling positions are prime targets
Significant rise in card use at petroleum retail sites
•
Pay at the pump availability has grown steadily
•
•
Approx. 90% of sites offer pay at the pump
Approx. 60%% of sites also accept Debit at the pump
•
North America has over 700K dispensers (over 1.4M fueling points)
•
Cards have surpassed cash as dominant payment form at
convenience stores
•
Recent rise in fuel costs have driven additional card transactions
PCI standards and dates have been cemented
Visa Security Mandates
January 2009
New fuel dispensers must support Triple DES (TDES) by January 1, 2009.
•
All newly deployed unattended POS PIN acceptance devices must contain an EPP that
has passed testing by a PCI recognized laboratory and is approved by Visa for new
deployments.
Impact: TDES-capable PCI certified keypads required on new dispensers accepting PIN
debit transactions.
July 2010
Existing fuel dispensers must support Triple DES (TDES) by July 1, 2010.
•
All transactions originating at POS PEDs must be encrypting PINs using TDES from
the point of transaction to the Issuer (end-to-end)
Impact: TDES-capable PCI certified keypads required on all dispensers accepting PIN
debit transactions.
Key PCI dates you need to be aware of
1
July
2008
Secure the forecourt
with TDES
• January 2009
New dispensers
• June 2010
Existing dispensers
Oct
2008
Jan
2009
2
April
2009
Upgrade to PCI PED
PIN Pads & TDES
• June 2010
Merchants VISA PED or
PCI PED Pin Pads and
TDES
July
2009
Oct
2009
3
Update Payment
Software to PABP
• October 2008
New Stores
• July 2010
All Stores
Jan
2010
June
2010
July
2010
Improved Security in other industries has exposed our
vulnerability
Thieves Increasing Targeting Fuel Dispensers
100%
Degree of
Security
0%
Retail
Restaurants
Gas Stations
Organized Crime Focus
“Using a credit card at a gas station poses more of a risk for data
theft than shopping online, as point-of-sale terminals at the pump
have emerged as a weak link in the security chain”
 Gartner Group
Fuel dispenser skimming is becoming epidemic
7/29/08
Calgary Police estimate 2 or 3 new "Skim" sites are set up every day in Calgary.
The lead investigator, Constable Darren Hafner guesses there's up to 50 different
stores in Calgary on any given day with skimmers and cameras operating.
7/29/08
Under the pretense of needing a nicotine fix, a man walked into an Edmonton gas
station last week and ran out with a debit-card machine.
7/23/08
OPP investigators believe they've broken up a fraud operation that involved the use
of "skimming" devices in fuel pumps to collect the credit card and debit card
information of Windsor and Essex County residents.
7/23/08
Devices used to steal your credit card number are showing up in the Austin area.
Just last week, Texas Department of Public Safety troopers say they found one in a
man's car. They're afraid he's part of a much bigger operation.
7/22/08
“In Las Vegas, just in the last month, we have recovered 4-5 skimmers and a gas
station skimmer that was actually in a pump.”
7/9/08
That's what Pennsylvania State Police said about the thieves who cracked into
numerous Lower Bucks bank accounts by planting a card skimmer inside gas
pumps, including one at a Bristol Township Wawa.
What our Customers are telling us
•
Most customers don’t understand what they have to do to meet PCI
mandates
•
•
•
Think the dates will be pushed out again
Don’t believe these PCI mandates apply to them
Are angry with the Card Associations because of Interchange Fee “Ransoms” they
are paying
•
There is much confusion about the various options available
•
Other companies are misrepresenting their capabilities and leading
customers to believe there are inexpensive, stop-gap solutions that
are also Secure and will protect them from fraud
Overview of Secure PumpPAY
Overview of Secure PumpPAY and its Features
Color LCD screen
5.7” ¼ VGA
32 bit processor
Secure embedded Linux OS
8 screen
addressable keys
24MB memory
8MB Flash, 16MB DRAM
512K Secure SRAM
Tamper responsive housing
PCI PED certified
Contactless Card Reader
Integrated into unit
Built-in privacy shield
Recessed keypad easier to use
Large key polymer keypad
IP65 rated sealed PIN pad
Connectivity
2 serial ports
1 Ethernet port
Optional PSTN/ISDN port
Dip Style Magnetic Stripe
Card Reader
Software Development Kit
API’s and XML/HTML GUI
development tools
** Remote key loading
Increases fuel dispenser security
•
Extended bezel around unit
eliminates or reduces
ability of cameras being
used for capturing PIN
entries
•
Tactile keypad prevents
keyboard overlay skimmers
from being installed
•
OP4100 housing conceals
all cables making
installation of skimmers
more difficult
•
PCI EPP 1.3 certified
New keys for doors will
make access to Secure
PumpPAY units more
difficult as keys are not
widely available
•
•
Canadian version features
Secure Card Reader (EMV
certified) which encrypts
message from MSR to EPP
and door switch
VeriShield Protect will
further improve security by
encrypting track data as
soon as it is read by the
MSR
•
Impact: Criminals will target pumps with
known vulnerable DCR’s
Secure PumpPAY Security Benefits
•
Meets the latest Payment Card Industry (PCI)
requirements to provide the most secure on-line
PIN entry as well as Triple DES method of encryption
at the fuel dispenser
•
Secure PumpPAY housing conceals all cables making
installation of skimmers more difficult
•
New keys for doors will make Secure PumpPAY units
more difficult to access as keys are not widely
available
Secure PumpPAY Enhanced Security Benefits
•
Extended bezel around unit reduces or eliminates
ability of cameras being used for capturing PIN
entries
•
Polymer tactile keypad prevents keyboard overlay
skimmers from being installed
•
Remote key load feature allows debit keys to be
loaded in the field and helps ease the process when
changing networks
Additional Secure PumpPAY Benefits
•
Integrated, all-in-one design simplifies installation
into existing pumps — Retrofit Kits available for all
major dispenser manufacturers and models, and can
be done in as little as 30 minutes.
•
Large color display provides bright attention-getting
messages that help drive customers into the store
for high margin sales.
•
Integrated high resolution printer included and can
prominently highlight graphics such as company
logos and bar-coded receipts for in-store promotions.
Additional Secure PumpPAY Benefits
•
Built in Contactless Reader is included which future
proofs your investment
•
Simplify management and customer interface by
having the same system at all pumps.
Secure PumpPAY vs. other PCI options
What are all of my options for pump security?
OPTION
1
Replace Dispenser with new product that
features PCI EPP
Very costly
OPTION
2
Replace only the Keypad with PCI EPP
OPTION
3
Replace the Keypad and Card Reader with
PCI EPP and Secure Card Reader
OPTION
4
Replace Keypad, Card Reader and Display
with PCI approved integrated payment
terminal
+
Understanding the Risks: Current Scenario
Current Payment System Vulnerabilities
Bug on MSR Cable –
Capture Track Data
Bug in MSR – Capture
Track Data
PIN Pad
Tampering –
Capture Track
Data and PIN
Debit Encryption
Encryption
Module
(GSM, etc.)
Tap on Line – Capture
PINs and Track Data
To Point of Sale
Understanding the Risks: TDES-Only Scenario
TDES-only vulnerabilities: Move encryption to the dispenser
Bug on MSR Cable –
Capture Track Data
TDES Keypad –
Debit encryption
PIN Pad
Tampering –
Capture Track
Data and PIN
Bug in MSR – Capture
Track Data
Dummy GSM
or Replaced
Tap on Line – Capture
Track Data
To Point of Sale
PIN’s Can NO longer
Be captured here
Understanding the Risks: EPP Scenario
Encrypting PIN pad-only solution vulnerabilities
Bug on MSR Cable –
Capture Track Data
Bug in MSR – Capture
Track Data
Tamper
Resistance &
Detection
PIN’s and
Track Data
Hard to capture
Dummy GSM
or Replaced
Tap on Line – Capture
Track Data
To Point of Sale
Can STILL Capture
Track Data
Understanding Risks: EPP + Secure Card Reader Scenario
EPP and Secure Card Reader Solution Vulnerabilities
Bug on MSR Cable –
Capture Track Data
Can NOT Capture
Track Data on cable
Bug in MSR – Capture
Track Data
Tamper
Resistance &
Detection
PIN’s and
Track Data
Hard to capture
Dummy GSM
or Replaced
Tap on Line – Capture
Track Data
To Point of Sale
Can STILL Capture
Track Data
Common Customer Misconceptions
Is fuel pump fraud really a problem? (Am I really at risk?)
Petroleum retailers should be aware that the number of fuel pump
breaches is increasing dramatically.
•
In the last 2 years, there have been 24 fuel pump breaches reported
At least 70 stations have reported their pumps were breached
At least 800 consumers had their cards fraudulently used
Estimates of the fraud amounts are over $1.5M, or $2,000 per card average
•
•
•
•
In the past three months, skimming at the pump has been reported in:
•
•
•
•
•
•
Arizona
California
Delaware
Florida
Georgia
Indiana
•
•
•
•
•
•
Illinois
Massachusetts
Michigan
Nevada
New Jersey
North Carolina
•
•
•
•
•
•
Pennsylvania
Texas
Washington
Wisconsin
British Columbia
Alberta
•
•
•
•
•
•
Ontario
Saskatchewan
Africa
India
Australia
United Kingdom
Is fuel pump fraud really a problem? (Am I really at risk?)
Petroleum retailers should be aware that the number of fuel pump
breaches is increasing dramatically.
•
Data breaches more than doubled in 2008 first quarter
•
•
“Data breaches disclosed by Hannaford Bros Supermarket chain, GE
Money, and Georgetown University are just some of the 167 breaches
reported during the first quarter of 2008, according to the non-profit Identity
Theft Resource Center.”
"Using a credit card at a gas station could pose more of a risk for data
theft than shopping online...petroleum and convenience retailers must
react quickly to avert unnecessary exposure to fraud and the
mitigation expense they will undoubtedly incur if left unchecked." —
Gartner Inc. Analyst
Is fuel pump fraud really a problem? (Am I really at risk?)
Petroleum retailers should be aware that the number of fuel pump
breaches is increasing dramatically.
Most retailer breaches are NOT disclosed, Gartner says
•
While nearly half of U.S. retailers have been hit with some kind of information
security attack, only a small percentage of them have actually reported
breaches to their customers, research company Gartner reports.
•
In a new study based on interviews with 50 U.S. retailers, Gartner found that
21 of them were certain they had a data breach. However, just three of the
retailers had disclosed the incident to the public. (Only 14% of breaches.)
If this is true, then the ACTUAL number of fuel pump breaches may be:
•
500+ fuel dispensers breached
•
Almost 6,000 consumers with fraudulent transactions
•
Over $10M in fraudulent transactions
Is there a difference between PCI vs. TDES
Other companies are saying all I need to do
to meet PCI mandates is install a TDES
keypad, is that true?
The only current requirement is TDES
encryption at the fuel dispenser beginning on
July 1, 2010. That only encrypts PINs and does
nothing to protect your customers card data
and your business from data thieves.
One option: I will just stop taking Debit at the pump
Can’t I just stop accepting
PIN Debit at the pump?
Yes, but turning off debit has two key risks:
1. Most Card Association Merchant Services
Agreements require merchants to accept debit
along with all other forms of card payments.
2. Debit usage by consumers is high at fuel stations
and the trends are that debit usage will continue
to grow. You will likely lose customers in addition
to lost sales.
Its too expensive. How can I pay for Secure PumpPAY?
OPTION
1
OPTION
2
OPTION
4
FINANCE
No. Pumps
2
4
6
8
Monthly Finance
Price
$220
$440
$660
$880
No. Pumps
2
4
6
8
Monthly Lease
Price
$210
$420
$630
$840
No. Pumps
2
4
6
8
Monthly Rental
$1,500
$3,000
$4,500
$6,000
Down payment
Monthly Rental
$168
$336
$504
$672
LEASE
RENT
What about new Standards?
What about new standards that
may be coming out? What else do I need to
do to protect my business?
Secure PumpPAY was designed for the
European market; it already includes the
advanced security features that are being added
to the next set of PCI requirements.
Will I also need software upgrades
Will I have to upgrade my other
software to work with Secure PumpPAY?
Probably not, most customer locations are already on
a POS application software release that is compatible
with Secure PumpPAY
Creating Display Content
How can I take
advantage of the new
display? Will I need to
hire a marketing
company to create ads
and promotions for me?
No, Secure PumpPAY
includes a tool to load
graphical content to the
display that anyone can
use. It is windowsbased and features drop
and drag functionality.
Creating Display Content
Do some graphics
come with the unit?
Yes, your Secure
PumpPAY unit will
come with a graphics
library that includes
instructional
messaging and some
promotional messages
What do I get when I buy Secure PumpPAY
•
Secure PumpPAY consists of TWO components
•
Payment terminal and accessories
•
•
•
•
•
•
Dispenser door assembly kit
•
•
•
•
•
OP4100 Payment terminal
VeriFone Interface Board (VIB)
Power Supply
Thermal Printer
Cable assembly kit
Door frame
Hinges, locks, mounting brackets
Dispenser-specific connectorized cable harness
Help Desk included for the first year
On-Site Maintenance service provides extended warranty coverage
Dispenser Models Supported
Secure PumpPAY options are currently available for:
• Gilbarco Advantage series
• Dresser-Wayne Vista series
• Tokheim Premier
•
•
•
•
B- series
C- series
MMD series
Bennett Pacific series
Additional options are planned for 2009 including:
• Gilbarco Encore series
• Dresser-Wayne Ovation series
• Others [based on customer need]
•
Schlumberger 4000 and Centurion
What you can expect during Installation
The Installation Process
Most work will be done at the Installers service location
Pre-installation or staging activities include:
• Loading the OpenPAY application
• Loading of the Debit keys
• Loading of any graphic content you would like and have provided
• Assembly of the Payment terminal and printer into the door frame
assembly
During the day the equipment is being installed
• The installer will only turn down half of the dispensers at a time
•
•
•
•
•
•
You will still be pumping fuel from the remaining dispensers
The old equipment is removed
Pre-assembled devices will be installed
The new door frame assembly will be installed
Technician tests the POS to new equipment connection
New equipment is activated and now processing payments
*The above process is repeated for the other half of the dispensers
Gilbarco Advantage Fuel Dispenser after Installation
Before
After
Tokheim Premier B Fuel Dispenser after Installation
Model 333B with MMD pictured
Before
After
Tokheim Premier C Fuel Dispenser after Installation
Before
After
Wayne Vista Fuel Dispenser after Installation
Before
After
Bennett Pacific Fuel Dispenser after Installation
Installation Complete
Secure PumpPAY processing transactions
Servicing Secure PumpPAY
•
Secure PumpPAY includes an initial 1 year parts warranty and also
includes a one year Help Desk support agreement
•
Extended warranties up to five years can be added to include On-Site
Maintenance
•
Servicing of the Secure PumpPAY units will be done by the same
VASC technicians who currently provide service to your location
Removing old DCRs return Maintenance savings
•
Costly to maintain components are removed
•
All of the items below are removed when installing Secure PumpPAY
eliminating the need to service or maintain these costly parts:
•
•
•
•
CRIND Logic, printer and display boards and power supplies
Debit Security modules (GSM’s, TED’s, DSM’s, etc)
Card Reader firmware
Improved graphics downloading
•
•
With Secure PumpPAY, you also improve the graphics download time 
5 minutes with SPP vs. as much as 45 minutes in a typical VeriFone to
CRIND scenario.
Results in less time your dispensers are offline!
Rebranding? No Problem!
•
Servicers can request new encryptions keys for a nominal processing
fee ($12 per key request)
•
The new encryption keys can be loaded in the field without having to
remove the hardware
•
•
A significantly less costly proposition
Simplifies the process in changing card processing networks
Secure PumpPAY: the only Secure payment solution
Questions?
For the latest information, check out http://www.securepumppay.com