Secure PumpPAY Webinar

1
Secure PumpPAY Webinar

• September 18 26, 2008
• Jeff Wakefield
• VP Marketing

2
Agenda

• Security Mandates Facing Fuel Retailers
• Payment Security Mandate Roadmap
• Secure PumpPAY
• Overview
• Models Supported
• Benefits
• Installation
• Content Delivery
• Questions

3
What do I need to do and when?
4
Visa Fuel Pump Security Mandates
January 2009 New fuel dispensers must support T
riple DES (TDES) by January 1, 2009.
All newly deployed unattended POS PIN acceptance
devices must contain an EPP that has passed
testing by a PCI recognized laboratory and is
approved by Visa for new deployments.
Impact TDES-capable PCI certified keypads
required on new dispensers accepting PIN debit
transactions.
July 2010 Existing fuel dispensers must support
Triple DES (TDES) by July 1, 2010.
All transactions originating at POS PEDs must be
encrypting PINs using TDES from the point of
transaction to the Issuer (end-to-end)
Impact TDES-capable PCI certified keypads
required on all dispensers accepting PIN debit
transactions.
5
VISA Global POS PED TDES Mandates
IMPACT If you are not using TDES today, you must
create TDES keys, inject your terminals (unless
you are replacing them) and upgrade you CRINDs to
support TDES by 7/1/2010.
6
VISA PED Deployment Mandates
IMPACT If your payment terminals are not VISA
PED or PCI PED (Generally purchased prior to
mid-2004), they must be replaced by July 1, 2010,
and pumps must be upgraded.
7
VISA PABP Mandates
IMPACT If any application that stores, processes
or transmits payment card data is not PABP
compliant, you must be either upgrade to a
compliant version or replace it by October 1,
2008 to add a new location or July 1, 2010 for
all stores
8
VeriFone Solutions
9
Fuel Pump Fraud Security
10
Fuel dispenser skimming is becoming epidemic
7/29/08 Calgary Police estimate 2 or 3 new
"Skim" sites are set up every day in Calgary.
The lead investigator, Constable Darren Hafner
guesses there's up to 50 different stores in
Calgary on any given day with skimmers and
cameras operating.
7/29/08 Under the pretense of needing a nicotine
fix, a man walked into an Edmonton gas station
last week and ran out with a debit-card machine.
7/23/08 OPP investigators believe they've broken
up a fraud operation that involved the use of
"skimming" devices in fuel pumps to collect the
credit card and debit card information of Windsor
and Essex County residents.
7/23/08 Devices used to steal your credit card
number are showing up in the Austin area. Just
last week, Texas Department of Public Safety
troopers say they found one in a man's car.
They're afraid he's part of a much bigger
operation.
7/22/08 In Las Vegas, just in the last month,
we have recovered 4-5 skimmers and a gas station
skimmer that was actually in a pump.
7/9/08 That's what Pennsylvania State Police
said about the thieves who cracked into numerous
Lower Bucks bank accounts by planting a card
skimmer inside gas pumps, including one at a
Bristol Township Wawa.
11
Fuel retail breaches are escalating
In the last 2 years, there have been 24 fuel pump
breaches reported At least 70 stations have repor
ted their pumps were breached At least 800 consum
ers had their cards fraudulently used
Estimates of the fraud amounts are over 1.5M, or
2,000 per card average In the past three months
, skimming at the pump has been reported in
Data breaches more than doubled i
n 2008 first quarter "Data breaches disclosed by
Hannaford Bros Supermarket Chain, GE Money, and
Georgetown University are just some of the 167
breaches reported during the first quarter of
2008, according to the non-profit Identity Theft
Resource Center (ITRC)."

• Arizona
• California
• Delaware
• Florida
• Georgia
• Indiana
• Illinois
• Massachusetts

• Michigan
• Nevada
• New Jersey
• North Carolina
• Pennsylvania
• Texas
• Washington
• Wisconsin

British Columbia Alberta Ontario Saskatchewan
Africa Australia United Kingdom
12
Visa reports AFDs as primary targets

• Findings
• Fraud activity concentrated in southern
  California and Florida
  
• Specific AFD manufacturers and models targeted
• Organized groups target locations goal is track
  and PIN data
  
• Targets
• High volume stations
• AFD located away from cashier
• Access via front panel with shared brass key
• Suspects impersonate pump service technicians
• Reader device attached to card reader and PIN pad

Today, retailers who have had cards compromised
at the pump are subject to fines, card loss
reimbursement, investigation costs and card
re-issuance costs if they do not have PCI
certified payments at the pump.
Source Visa Webinar 12-11-2007
13
TDES mandate does NOT mean security at the pump

• The TDES mandate does not increase security at
  the fuel dispenser
  
• TDES makes decrypting encrypted PIN numbers
  harder
  
• To our knowledge, no one has broken the DES
  encryption schemes and compromised PIN numbers
  
• The current fuel pump payment security risks
  remain
  
• Limited number of brass keys to provide access to
  the DCR
  
• Available ribbon cables to tap into to steal MSR
  data
  
• No shroud to protect against overhead cameras
  stealing PINs during entry
  
• Criminals know how to tamper with existing DCRs
  in the fuel dispenser
  
• Criminals know the format of data from these
  pumps
  
• Track data is not encrypted between the MSR and
  the EPP or current debit module (GSM, etc.)

14
Secure PumpPAY increases fuel dispenser security

• Extended bezel around unit eliminates or reduces
  ability of cameras being used for capturing PIN
  entries
  
• Tactile keypad prevents keyboard overlay skimmers
  from being installed
  
• OP4100 housing conceals all cables making
  installation of skimmers more difficult
  
• PCI EPP 1.3 certified

New keys for doors will make access to Secure
PumpPAY units more difficult as keys are not
widely available Canadian version features Secu
re Card Reader (EMV certified) which encrypts
message from MSR to EPP and door switch
VeriShield Protect will further improve security
by encrypting track data as soon as it is read
by the MSR
Result Criminals will target pumps with known
vulnerable DCRs
15
Secure PumpPAY Product Overview

• August 1, 2008

16
Secure PumpPAY feature overview
32 bit processor Secure embedded Linux OS
Color LCD screen 5.7 ¼ VGA
24MB memory 8MB Flash, 16MB DRAM 512K Secure SRA
M
8 screenaddressable keys
Contactless Card Reader Integrated into unit
Tamper responsive housing PCI PED certified
Built-in privacy shield
Large key polymer keypad IP65 rated sealed PIN pa
d
Dip Style Magnetic Stripe Card Reader
Software Development Kit APIs and XML/HTML GUI
development tools
Connectivity2 serial ports 1 Ethernet port Opti
onal PSTN/ISDN port
Remote key loading
17
Secure PumpPAY Security Benefits

• Meets the latest Payment Card Industry (PCI)
  requirements to provide the most secure on-line
  PIN entry as well as Triple DES method of
  encryption at the fuel dispenser
• Secure PumpPAY housing conceals all cables making
  installation of skimmers more difficult
  
• New keys for doors will make Secure PumpPAY units
  more difficult to access as keys are not widely
  available

18
Secure PumpPAY Enhanced Security Benefits

• Extended bezel around unit reduces or eliminates
  ability of cameras being used for capturing PIN
  entries
  
• Polymer tactile keypad prevents keyboard overlay
  skimmers from being installed
  
• Remote key load feature allows debit keys to be
  loaded in the field and helps ease the process
  when changing networks
  

19
Additional Secure PumpPAY Benefits

• Integrated, all-in-one design simplifies
  installation into existing pumps Retrofit Kits
  available for all major dispenser manufacturers
  and models, and can be done in as little as 30
  minutes.
• Large color display provides bright
  attention-getting messages that help drive
  customers into the store for high margin sales.
  
• Integrated high resolution printer included and
  can prominently highlight graphics such as
  company logos and bar-coded receipts for in-store
  promotions.

20
Additional Secure PumpPAY Benefits

• Built in Contactless Reader is included which
  future proofs your investment
  
• Simplify management and customer interface by
  having the same system at all pumps.
  

21
Integrated, all-in-one design simplifies
installation
Retrofit Kits are available for all major
dispenser manufacturers and models commonly
installed

• Compact design streamlines installation
• PCI approved design streamlines retro-fits or new
  installs
  
• Most dispensers can be completed in about an
  hour
  
• Retrofit Kits include the following
• OP4100 PCI compliant card reading terminal
• High speed thermal printer that supports high
  resolution images and graphics
  
• Dispenser door replacement panel that meets
  original manufacturer design and materials
  
• Cables, connectors and power supplies
• Mounting brackets and door locks
• Easily integrates into Ruby and Topaz POS
  systems
  

22
Gilbarco Advantage Retrofit Kit
Before
After
23
Tokheim Premier B Wide Retrofit Kit
Model 333B with MMD pictured
Before
After
24
Tokheim Premier C Wide Frame Retrofit Kit
Before
After
25
Wayne Vista Retrofit Kit
Before
After
26
Successful US field trials began in October 2007

• 16 field trail sites were installed from October
  2007 to July 2008
  
• All Released Pump Types Tested in a variety of
  environments
  

27
Installation

• Pre-Installation
• Application installed
• Content Loaded
• Debit Keys downloaded from the VeriFone Portal
• Installation Payment Terminal and Printer into
  the Door frame assembly
  
• Day of Installation
• Half of Dispensers Shut Down
• Old equipment removed
• Install the pre-assembled devices
• Install the new Door Frame assembly
• Test communication with the POS
• Activate the new Payment terminals
• Repeat the above process for the remaining
  dispensers

28
Loading Graphical Images using the SPP Installer
Program
VeriFone includes the SPP Installer Program with
every Secure PumpPAY Purchase. This program
enables our customers to Customize the Cont
ent that is displayed on your Secure PumpPAY
dispenser Payment Terminals at each of your Sites
Change the content and promotions as often as y
our business requires Promote In-Store specials
to drive additional revenue Display Community In
terest Messages to Reinforce your Brand and your
commitment to the local community
This is an Easy, 10-Step process that does not r
equire any artistic or technical skills to create
and maintain a very Professional Image!
29
SPP supports Two Image Prompts Sequences
The Image Download tool includes two tabs for
loading ten images each Fuel Image Use this
tab for images that will be displayed while
the Customer fuels their vehicle Idle Im
age Use this tab for images that will be
displayed before the Customer begins fueling
Step 1 Select the Idle Image tab to begin
to load content into the idle Image sequence
30
Save your images in an easy-to-find image library
or folder
Step 2 Open the Folder where images are stored
on your Laptop desktop. The images you load
will be displayed on the SPP display sequenti
ally going left to right on the top row, follo
wed by left to right on the bottom row. Be
st Practices recommend creating
separate directories for Idle Prompt
Images and Fueling Prompt Images
to streamline the loading process
31
Loading Images is simply drag and drop
Step 3 Sequentially select and drag each image
to any one of the ten Available image boxes to cr
eate the Image Playlist. Repe
at process until you have loaded all of the
available images (Maximum of ten)
Select Image
Drag Image
Drop Image in Image Box
32
Setting the length of time each image appears
Step 4 Set the Image Delay Option When all of
the Image boxes are populated,
Set the Delay window to reflect the length of
time the preceding image will be
displayed before changing to the current image.
NOTE 3000ms equals 1 Second
33
Preview Image Playlist to verify timing and image
sequence
Step 5 Preview the Image Playlist Select the
Preview window to see the Scheduled Playlist incl
uding the length of time each image will be
displayed on the SPP display Adjust to increase
or decrease the Image intervals.
Each image will be sequentially displayed until
the entire playlist has been displayed This s
tep ensures timing is optimized for each image.
34
Downloading the Playlist completes the Process
Step 6 Download the content to SPP Once both
the Idle Image and Fuel Image playlists have bee
n loaded and previewed, download the content to
the SPP display by first selecting the Download b
utton, then selecting OK to confirm.
This completes the Image Downl
oad process. Additional SPP devices can be
Downloaded repeating only the last step (Step 10)

35
Graphics displayed throughout SPP application
Idle Image
Instructional Messaging
Instructional Messaging
Idle Image
Instructional Messaging
Instructional Messaging
36
Graphics displayed throughout SPP application
Instructional Messaging
Informative Messaging
Suggestive Selling
Instructional Messaging
Instructional Messaging
Informative Messaging
37
Brand specific idle images - examples
38
Examples of promotional images
Graphics need to be 320 x 240 pixels and a
maximum of 25K file size. The file must also be
in a .GIF format
39
What are my options for pump security?

Do Nothing Do not accept PIN debit at the pump af
ter June 30, 2010 Do not protect your customers f
rom card compromises Do not protect your brand fr
om pump breaches Lost customers who prefer PIN de
bit at the pump Install Secure PumpPAY after you
have been breached

Upgrade to a new pump with PCI certified
payments Do you need a new pump now? Can you aff
ord new pumps for all of your sites?
Secure PumpPAY is approximately 1/3 to 1/4 of the
cost of a new pump

Install Secure PumpPAY Protect your customers and
your brand from a data breach
Meet the June 20, 2010 deadline to support TDES
Increase your inside sales with promotions at the
pump display Future proof your investment with ad
vanced security features and built-in
contactless Increase customer confidence and loya
lty
40
VeriFone Payment Security Solutions
41
VeriFone can help you meet your PCI goals today!
Questions?
For the latest information, check out
http//www.securepumppay.com