NavigationTerms
DebitWay.com performed the required policies and procedures to validate compliance with the Payment Card Industry (PCI) Data Security Standard supported by all the major credit card associations including: American Express, Diners Club, Discover, JCB, MasterCard International, Visa International and Visa USA. All data transmitted and/or processed through DebitWay is done so in accordance with the Payment Card Industry (PCI) Data Security Standard and best practices. Trustwave's Trusted CommerceSM service designation indicates that DebitWay protects credit card and order information in accordance with payment card industry best practices.
SECURITY MEASURES & PREVENTIONS
Payment Card Industry EPP Security Requirements
The miniTeller® uses tamper detection and response mechanisms which cause the miniTeller® to become immediately inoperable and results in the automatic and immediate erasure of any secret information which may be stored in the miniTeller®. These mechanisms protect against physical penetration of the device by means of (but not limited to) drills, lasers, chemical solvents, opening covers, splitting the casing (seams) and using ventilation openings and there is not any demonstrable way to disable or defeat the mechanism and insert a pin disclosing bug or gain access to secret information.
PIN entry is accompanied by audible tones, then the tone for each entered PIN digit is indistinguishable from the tone for any other entered PIN digit.
There is no feasible way to determine any entered PIN digit by monitoring sound, electro-magnetic emissions, power consumption or any other external characteristic available for monitoring
The miniTeller® performs a self-test upon start up and at least once per day to check firmware, security mechanisms for signs of tampering, and whether the miniTeller® is in a compromised state. In the event of a failure, the miniTeller® and it functionality fails in a secure manner.
Sensitive information shall not be present any longer or used more often than strictly necessary. The miniTeller® must automatically clear its internal buffers when either:
- The transaction is completed, or
- The miniTeller® has timed-out waiting for the response from the cardholder or merchant
The PIN is encrypted within the miniTeller® immediately after PIN entry is complete and has been signified as such by the cardholder. The clear text PIN must then be immediately erased after encryption is complete.
The PIN encryption technique implemented in the miniTeller® is a technique Included in ISO 9564.
The key-management techniques implemented in the miniTeller® conform to ISO 11568 and/or ANSI X9.24.
It is not possible to encrypt or decrypt any arbitrary data using any PIN encrypting key or key encrypting key contained in the miniTeller®.
DEVICE MANAGEMENT DURING MANUFACTURING
Payment Card Industry EPP Security Requirements
The miniTeller® manufacturer, subject to Association site inspections, confirms the following:
- Change-control procedures are in place so that any intended change to the physical or functional capabilities of the miniTeller® causes a recertification of the device under the Physical Security Requirements.
- The certified firmware is protected and stored in such a manner as to preclude unauthorized modification, e.g., using dual control or standardized cryptographic authentication procedures.
- The miniTeller® is assembled in a manner that the components used in the manufacturing process are those components that were certified by the Physical Security Requirements evaluation, and that unauthorized substitutions have not been made.
- Production software that is loaded to devices at the time of manufacture is transported, stored, and used under the principle of dual control, preventing unauthorized modifications and/or substitutions.
- Subsequent to production but prior to shipment from the manufacturer’s facility, the miniTeller® and any of its components are stored in a protected, access-controlled area or sealed within tamper-evident packaging to prevent undetected unauthorized access to the device or its components.
- If the miniTeller® will be authenticated at the Key Loading Facility by means of secret information placed in the device during manufacturing, then this secret information is unique to each miniTeller®, unknown and unpredictable to any person, and installed in the miniTeller® under dual control to ensure that it is not disclosed during installation.
- The miniTeller® is shipped from the manufacturer’s facility to the initial-keyloading facility, and stored en route, under auditable controls that can account for the location of every miniTeller® at every point in time.
- While in transit from the manufacturer’s facility to the initial-key-loading facility, the device is:
- Shipped and stored in tamper-evident packaging; and/or,
- Shipped and stored containing a secret that is immediately and automatically erased if any physical or functional alteration to the device is attempted, that can be verified by the initial-key-loading facility, but that cannot feasibly be determined by unauthorized personnel.