Verifone key injection facility
Whoops - that chip and pin terminal you bought last year ahead of everyone else, to be ready for the new standards coming in October of this year, might not be completely ready. In fact, it may have to be shipped to an authorized center to have certain encryption data “injected” into the terminal.
What? The salesman said it was ready? Maybe so, but it still might have to be returned to an authorized secure service center to be injected with some unique data in order to be usable.
We asked about the state of the industry and the availability of various credit card terminals, and also asked about the injection of encryption keys.
First on equipment - "there is somewhat of a backorder in the the industry. The two largest manufacturers, Ingenico and Verifone, are ramping up. The most popular models are the Verifone 915 and 925 for tier one and tier two (the largest of retailers), and also the Ingenico 250 and 480 models are available."
As of last week, they had not personally had an EMV transaction take place. "Processors are not taking them live yet."
Ms. McInerny remarked that she expected there to be more equipment issues in October. " Don't think that all of a sudden there will be a flood of equipment available in the market." "Retailers need to come up with a plan."
Based on this and comments from vendors like Verifone, retailers should consider getting a solution in place now - even if it is not exactly what they would like and then perhaps a year down the road, when the situation has eased, consider switching to another type of terminal. Consumers are increasingly aware of chip-and-pin and are not going to be indifferent to using old, unsecure equipment. Point-to-point encryption offers an excellent solution for retailers. The device is external and the credit card data completely bypasses the POS solution. While it may be slightly less convenient, it is vastly more secure than swiping a mag-stripe card through a keyboard reader.
Moving on to Key Injection
Key Injection Service is the secure process by which payment hardware (credit card terminal/ reader/ pin pad) gets loaded with the encrypted Debit and Data keys which in effect “marries” the terminal to the merchant’s processor and bank to make the device functional and secure. This process is mandated by PCI (Payment Card Industry) to mask and protect card holder data during the transaction. A debit key is needed to scramble the pin data and a data key is needed to scramble card data. A debit key is mandatory if a customer wants to accept debit cards. Customers accepting only credit will not need key injection.(1)
Through this ESO designation, ScanSource provides key injection services in-house at its secure facility. In addition to on-site key injection, its ESO certification allows them to provide remote key injection services from vendors such as Magtek and VeriFone.