The Evolution Continues

VeriFone VX Evolution - First complete product line to offer PCI PTS 3.0 approved solutions

2 PCI PTS 3.0 Security Standards

Threats to electronic payment transactions and personal

information continue to grow. Data breaches can be a moving

target — as security improves, hackers devise new plans of

attack. Recovering from a breach could devastate a business.

That’s why for many businesses it’s critical to stay on the leading

edge of payment security. In May 2010, the Payment Card

Industry Security Standards Council (PCI SSC) announced the

PCI PIN Transaction Security (PTS) 3.0 payment security standard.

VeriFone is the first payment provider to integrate the

sophisticated, unprecedentedly secure PCI PTS 3.0 protections

across its entire family of innovative VX Evolution payment

devices. If your business demands the absolute best in

payment security, you need to talk to VeriFone today about

what PCI PTS 3.0 can do for you.

3 PCI PTS 3.0 Security Standards

VeriFone has consistently led the payment industry in providing devices and applications that meet the latest payment security guidelines.

Security Is Improving…But So Are Criminals.

According to The Green Sheet, an online news magazine that focuses on emerging issues in the payments industry, in the U.S. alone there were 181 data breaches in 2010 that impacted financial services, insurance or retail businesses. This was up from 37 such breaches in 2009.1 Globally, both figures would be considerably higher. While some of these breaches were the result of lost, stolen or discarded PCs, cell phones and the like, more than a third of the losses were from hacker or malware attacks.

Fraud schemes not only focus on hacking software, but they also can seek to gain physical access to payment devices to enable criminal rings to capture sensitive card information to steal cardholders’ funds. As the hackers keep evolving their tactics, it’s essential that payment security gets strengthened to prevent security breaches.

PCI PED 2.0 or PCI PTS 3.0 — Only VeriFone Gives You a Complete Choice.

VeriFone has consistently led the payment industry in providing devices and applications that meet the latest payment security guidelines. The PCI PED 2.0 standard, which first took effect in 2008, can be expected to provide an acceptable level of protection for organizations with relatively ordinary security requirements for a number of years.

But for resellers and merchants that require absolutely the most advanced security protections possible — not only today, but also well into the future after the current PCI PED 2.0 standard has been retired — VeriFone now offers the only family of approved products with the latest in PCI PIN Transaction Security (PCI PTS) 3.0 standard. Three years in the making — with input and contributions from a variety of panels and providers with an interest in payment security — PCI PTS 3.0 represents by far the most sophisticated, robust and all-encompassing standard for card security ever brought to the market.

And VeriFone’s advanced VX Evolution family of devices — through its flagship countertop, portable and PIN pad models — is the first complete product line to offer the extraordinary protections of PCI PTS 3.0 for resellers and merchants that want to minimize their exposure to risk to the greatest degree possible.

Growing Challenges

1Copyright, Privacy Rights Clearinghouse, as published in The Green Sheet, January 24,2011.

PCI PED 2.0 or PCI PTS 3.0 — Only VeriFone Gives You a Complete Choice.

4 PCI PTS 3.0 Security Standards

PCI PED 2.0 or PCI PTS 3.0?

PCI PTS 3.0• Has combined sets of requirements

• Three modules for evaluations requirements - Open Protocols – applies to Internet Protocol (IP) or to ethernet and wireless-enabled devices - Secure Reading & Exchange of Data (SRED) – secure reading and encryption of card holder data at the point of entry - Integration – addresses the integration of components in an unattended POS PIN acceptance device

• Mag-stripe read-head protection security level increased

• Case Open Protection security level increased

• Mandating that at least 50% of security score comes from exploitation protection

• Smart card protection security increased

• Increased software security validation

• Daily-self test of software in additional to power up self test – must use cryptographic methods

PCI PED 2.0• Three separate sets of requirements

- Point of Sales PIN Entry Devices (PED) - Encrypting PIN Pads (EPP) - Unattended Payment Terminals (UPT)

• Additional magnetic stripe protection

• Top case replacement protection

• All encryption keys must have different values (enforced by devices)

• Approved key management schemes only

PCI SPVA

Tamper-evident/Tamper-detectionOne way screws

Special gluing & security labelsSecurity fence/keypad

Case open switches

VeriShield Total ProtectVeriShield Hidden Encryption

VeriShield RetainTriple Data Encryption Standard

VeriShield Remote KeyEMV 4.0

SSl & MasterCard PTS

Regul

ator

y

Physi

cal P

rote

ctio

n

Logi

cal

5 PCI PTS 3.0 Security Standards

VeriFone Provides Three Types of Security to Protect Payment Information

VeriFone has 30 years of unmatched experience in designing and implementing the most sophisticated security solutions in the industry. To combat the increasing sophistication of hacker attacks, VeriFone has developed a multifaceted approach to security protection. This “security triad” includes:

• Physical protection• Logical security• Compliance with the latest industry and regulatory standards

To achieve a high level of physical security, VeriFone builds a variety of tamper-resistant and responsive features into its payment devices. The objective is to make it extraordinarily difficult for a criminal ring to alter devices to capture sensitive cardholder information. For logical security, VeriShield Total Protect combines end-to-end encryption and tokenization to deliver one of the most secure solutions for data protection today. Other software and services capabilities that provide logical security include innovative file authentication methods and convenient yet highly-secure remote key injection.

PCI PTS 3.0 Offers Greater Protections and Exciting Opportunities for Resellers and Merchants

In the third leg of the triad — regulatory security — VeriFone has been an industry leader for years, holding a seat on a number of the working bodies responsible for developing and implementing the latest compliance standards.

That additional protection is precisely what PCI PTS 3.0 provides resellers and merchants that want to virtually eliminate their exposure to the bad press and potentially catastrophic losses from a major fraud incident or data breach.

Broader Scope and a Single Evaluation ProgramPCI PTS 3.0 provides a single, highly efficient and effective security evaluation program for POS devices, encrypting PIN pads (EPPs) and unattended payment devices — simplifying and strengthening existing requirements to increase security. In addition, the new standard broadens the scope of security protections.

VeriFone’s Security Triad

6 PCI PTS 3.0 Security Standards

Additional Security Protections Built into VX Evolution

VeriFone’s implementation of PCI PTS 3.0 in its VX Evolution family of payment devices also includes the following protections:

• Improved case-open tamper resistance for its devices• Better mag-stripe read-head protection• Implementation of higher security for smart card usage• Use of end-to-end encryption — where data is encrypted from the instant a card is swiped

and provide further protection against fraud• Daily self-testing of software — plus the use of cryptographic methods as the primary

means for checking either system integrity or file authentication

Resellers and merchants that rely on VeriFone for payment security also benefit from the fact that the company does not merely adhere to the latest PCI regulations, it actively helps develop and draft the guidelines. VeriFone serves on the PCI Security Standards Council Board of Advisors, providing input into the various PCI standards. The company is also a founding member of the Secure Payment Vendors Alliance (SPVA).

In addition, in an advisory role for the American National Standards Institute (ANSI), VeriFone has contributed to:

• X9A — Regulating electronic retail financial transactions• X9F — Setting standards for data and information security• Various ANSI workgroups that contribute to the ISO security workgroup

VeriFone serves on the PCI Security Standards Council Board of Advisors, providing input into the various PCI standards.

7 PCI PTS 3.0 Security Standards

Meeting and Exceeding Industry Requirements

For organizations that are comfortable with the security protections provided by the current PCI PED 2.0 standard, VeriFone offers a wide array of POS devices designed for every possible environment — from traditional countertop to mobile payment, and from multi-lane merchants to healthcare providers or transit agencies.

But for customers that are willing to spend a little more to invest in the absolutely best security protection available — with the longest projected life — VeriFone is once again demonstrating its industry leadership by becoming the first payment provider to incorporate the PCI PTS 3.0 standard into a full line of payment devices: VeriFone’s state-of-the-art VX Evolution platform.

The new standard is available as a premium option on both the VX 520 countertop and VX 680 portable devices. And it comes standard as part of the VX 820 PIN pad. These VX Evolution models not only provide resellers and merchants with the latest and most sophisticated security protections available today, but they also deliver the qualities that help set VeriFone products apart from all others: exceptional functionality, extraordinary quality and absolute trust that the devices will perform dependably and reliably, year after year.

PCI PTS 3.0 Available NOW!

2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017

Unapproved or non-compliant devices must be removed from service by June 30, 2010.

Unapproved Devices

Devices purchased before Dec. 31, 2007 can be deployed. EU devices must be removed by Dec. 31, 2012. All other devices must be removed by Dec. 31, 2014.

Visa PED Devices(Pre-PCI Devices)

Devices purchased before March 2014 can be deployed. PCI PED 1 Devices

Devices purchased before March 2017 can be deployed. PCI PED 2 Devices

Devices purchased before March 2020 can be deployed. PCI PTS 3 Devices

Approved for continued use Not available for purchase or use

Available to purchase

8 PCI PTS 3.0 Security Standards

The PCI PED 2.0 standard is by no means obsolete. In fact, merchants have the option of purchasing PCI PED 2.0 approved devices at least through 2016. But when one thinks about it, doesn’t it make more sense to pay a little more now for VeriFone’s PCI PTS 3.0 compliant VX Evolution line and avoid having to upgrade again and certify a whole new set of devices halfway through a solution’s lifecycle in a few years - not to mention, the added peace of mind?

Any investment that’s made in new devices and software that’s PCI PTS 3.0 compliant will continue to meet PCI SSC approved standards for payment card security long after the older PCI PED 2.0 compliant solutions must be removed from the POS. Merchants and resellers simply need to make the decision that’s best for them.

Inside LookHow VeriFone Leads in Physical and Logical Security As WellVeriFone is not only a leader in ensuring that its devices adhere to the latest compliance standards, but it has also incorporated groundbreaking physical and logical security protections into its POS devices and applications.

Physical ProtectionsVeriFone incorporates tamper-resistant, responsive and tamper-evident features into every device it designs and builds. These physical protections are layered as illustrated to the left.

CASE GLUING

SEC

UR

ITY

LAB

ELS

ON

E WAY SC

REW

SSECURITY FENCE

VOLTAGE SENSORS

REGULATE ELECTRONIC EMISSIONS

PCB GRID

VERY LITTLE SPACE

KEYPAD TRACES HIDDEN

SECRETKEYS

KEY

PAD

SW

ITC

HES

CASE O

PEN

SWITC

HES

9 PCI PTS 3.0 Security Standards

Increasing Risks Warrant a Higher Standard

Frequent stories of hacker attacks and fraud schemes targeting electronic payments is a constant reminder that risks for everyone — payment providers, resellers, merchants and consumers — continue to grow. The latest PCI PTS 3.0 security standard makes it easier to secure sensitive card data at the point of interaction against the increasing sophistication of these attacks.

VeriFone is pleased to be able to participate in the development of these new standards and proud to be the first to offer them to resellers and merchants that want the latest protections.

For more information about PCI PED 2.0 and PCI PTS 3.0 and which might be best for you, contact your VeriFone representative or http://www.verifone.com/about-us/contact-us.

Conclusion

©2011 VeriFone, Inc. All rights reserved. VeriFone, the VeriFone Logo, VX Evolution, VX 520, VX 680, VX 820, VX 820 DUET, VeriShield Total Protect, VeriShield Remote Key, VeriShield Hidden Encryption and VeriShield Retain are either trademarks or registered trademarks of VeriFone in the United States and/or other countries. All other trademarks or brand names are the properties of their respective holders. All features and specifications are subject to change without notice. Reproduction or posting of this document without prior VeriFone approval is prohibited.

02/11 45897 Rev A FS