HomeATM at the (Security) Summit!

HomeATM CEO, Ken Mages and I, just returned from Salt Lake City, where we attended the ProPay Data Security Summit. 

On Wednesday, March 18th, after ProPay CEO Gary Goodrich completed his opening remarks, he introduced PCI Security Standards Council General Manager Bob Russo.

We had been informed by our PCI Testing Lab representative (Witham Labs) that the PCI SSC would probably "officially list" our Safe-T-PIN (the T stands for Transaction) device later that morning.
 

Ironically, while Bob Russo was a featured speaker at the event. 

While he  was addressing attendees, I refreshed my laptop's screen to see that, indeed,  HomeATM had been added to the distinguished list of PCI 2.0 PED Devices on the PCI SSC website.  My first thought was, how ironic is that?  Two plus years in the making, an we get certified while the GM for PCI SSC is 50 feet away talking about the importance of such certification. But all irony aside, the fact remains that:

For the first time in the history of the PCI Security Standard Council's existence, a PIN Entry Device designed for e-Commerce, achieved PCI 2.0 certification.  That device is HomeATM's SAFE-T-PIN, which provides consumers and merchants with an unmatched level of 3DES DUKPT "fully beginning to end encrypted" security on Web Transactions.


In order to duly record the moment, I "pinned down" (yeah...pun intended) PCI SSC's Bob Russo and asked if he would participate in a picture with Ken Mages, HomeATM's CEO.   Bob kindly obliged, and pictured above is the resulting photo...forever capturing this historic milestone in e-payments history! (Click Pic to Enlarge)

So, what does this all mean?  The security benefits of a PCI 2.0 PED certified device CANNOT be overstated.  Tomorrow I will publish a review of the Safe-T-PIN device, conducted by The Society of Secure Payment Professionals. 

About the PCI Security Standards Council 

The PCISecurity Standards Council is an open global forum, launched in 2006,that is responsible for the development, management, education, andawareness of the PCI Security Standards, including: the Data SecurityStandard (DSS), Payment Application Data Security Standard (PA-DSS),and Pin-Entry Device (PED) Requirements.

All of the five founding members have agreed to incorporate the PCI DSS as the technical requirements of each of their data security compliance programs. Each founding member also recognizes the QSAs and ASVs certified by the PCI Security Standards Council as being qualified to validate compliance to the PCI DSS.

A Limited Liability Corporation (LLC) chartered in Delaware, USA, the PCI Security Standards Council was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc..

All five payment brands share equally in the council's governance, have equal input to the PCI Security Standards Council and share responsibility for carrying out the work of the organization. Other industry stakeholders are encouraged to join the group and review proposed additions or modifications to the standards.

 

Executive Committee - PCI SSC

• Seana Pitt, Vice President, Merchant Policy & Data Quality, American Express
• Suzanne Smits, Vice President, Network Services, Discover Financial Services
• Lib de Veyra, Vice President, Emerging Technologies, JCB International
• Bruce Rutherford, Group Head, Fraud Management Solutions, MasterCard Worldwide
• Lance Johnson, Senior Vice President, International Risk Management, Visa Inc.

From Digital Transaction News, earlier today:

Online PIN debit continues to move from concept to reality in the early months of 2009.  HomeATM ePayment Solutions announed its PIN pad and point-of-sale device, the Safe-T-PIN, has achieved certification under the Payment Card Industry PIN Entry Device (PED) 2.0 standard.

The device, which attaches via a USB connection to PCs to allow consumers to make PIN debit transactions on Web sites and to do person-to-person money transfers online, is the first of its kind to win PED 2.0 certification. For more on HomeATM, click here. 

Editor's Note: To learn more about a software based solution, which is NOT PCI certified (and never CAN be) click any of the related articles below...

Software Based PIN Debit Application from Acculynk

• Updated: Acculynk...Where's the PIN Offset? My Pet PVV (pindebit.blogspot.com)
• Acculynk Most Closely Mimics Consumer Grocery Store Checkout Experience - (satire)
• HomeATM Challenges ATMDirect (Acculynk) to a "PIN-OFF" - PIN Payments Blog 
• HomeATM still waiting to hear from ATMDirect regarding "PIN-OFF" 
• HomeATM officially invites ATMDirect to a "PIN-OFF"
  
  
  
  
  
  

  10 Apr 2008 by John B. Frank   i was speaking with ken mages, the founder and ceo of homeatm and george gendron, homeatm's president regarding atmdirect's questionable press release smoke, mirrors and patents last sunday, and the notion of calling them on their bluff ...

• ATMDirect has (as of yet) still not accepted the "PIN-OFF ...21 Apr 2008 by John B. Frank  
  homeatm prepaired (sic) to prove atmdirect is vaporware: after reading this public "let's take it outside" challenge by homeatm's ceo, there is little question that atmdirect is either going to have to accept the challenge and prove ...
  
  
  
  
  
  
  
  
  An Open Letter to ATM Direct Executives  May 01, 2008  by John B . Frank
  Withless than 13 days remaining, we still have yet to hear from ATMDirecteven though our CEO, Kenneth Mages, has made them aware of it from thebeginning. However, in the interest of complete and unbiased fairness,this morning I sent ... (you gotta read this!)
  
  
• ATMDirect president's response to open letter3 May 2008 by John B. Frank  
  on thursday, i received a telephone call from nandon sheth, the president and new owner of atmdirect. we had a pleasant conversation and nandon addressed a few of the issues made in "an open letter letter to atmdirect". ... (READ BETWEEN THE LINES...WE'LL  LET THE INDUSTRY DECIDE!...WHAT LIKE PCI 2.0 PED?  OKAY!!!
  

PIN Entry Devices

To gain approval by PCI Security Standards Council, PIN entrydevices must comply with the requirements and guidelines specified inthe following documents. Vendors preferring to complete formselectronically should download the appropriate documents.

Listing of PCI Security Standards Council Approved PIN Entry Devices

Payment Card Industry Resources

• Testing and Approval Program Guide (PDF)

Security Requirements

• Encrypting PIN Pad Devices (PDF) (DOC)
• Encrypting PIN Pad Devices 2.1 (PDF) (DOC)
• Point of Sale Devices (PDF) (DOC)
• Point of Sale Devices 2.1 (PDF) (DOC)

Evaluation Vendor Questionnaires

• Encrypting PIN Pad Devices (PDF) (DOC)
• Encrypting PIN Pad Devices 2.1 (PDF) (DOC)
• Point of Sale Devices (PDF) (DOC)
• Point of Sale Devices 2.1 (PDF) (DOC)

FAQs

• General Frequently Asked Questions (PDF)
• Technical Frequently Asked Questions** (PDF)
• Technical Frequently Asked Questions 2.0** (PDF)

Derived Test Requirements
Payment Card Industry (PCI) Recognized Laboratories
PED AnnouncementsFor questions please contact, pciped@pcisecuritystandards.org.