As you know, your pharmacy business is subject to ever-changing regulatory requirements. Because of increased security risks on today's credit card holders' information, another pending requirement is about to hit your pharmacy: Triple Data Encryption Standard (3DES) for PIN-based debit card transactions. 3DES is a stronger encryption algorithm for your PIN-based payment terminal to increase the security of your customers' debit card data, and it is required to be injected in all payment terminals by July 1, 2010. In order to comply, and assuming you have an older payment terminal not already injected with a 3DES key, you have the following options:
- Discontinue accepting PIN-based debit after July 1st and begin processing debit cards as signature-based credit cards instead. Your credit card processor will disable debit transactions. As a result, you will not be able to offer cash back, and your transaction fee on these types of transactions will probably be higher (credit vs. debit). However, you will not incur any up-front costs.
- Swap-out your payment terminal for a used one with a 3DES key. You will probably incur a small fee, but it will be cheaper than a new unit.
- Upgrade your payment terminal to a new one. Not only will your new device have the 3DES key, it will probably come with a warranty.
While we understand you're probably frustrated with incurring an additional expense in today's tough economic climate, you should understand this is a Visa requirement and a necessary protection for you and your customers.
FREQUENTLY ASKED QUESTIONS
What is 3DES?
Triple Data Encryption Standard (Triple DES, TDES or 3DES) is the American National Standards Institute's (ASNI) sanctioned encryption algorithm standard used by all debit-capable transaction terminals for PIN encryption in the U.S. 3DES is a prime example of the payment industry's advancements in security against fraud, as it was created to be more secure than its predecessor, DES - an encryption algorithm that takes a fixed-length block (16 hex digits) of unencrypted data, and using a 16 hex digit encryption key, converts it to a fixed length block of encrypted data called cipher text.
What is the difference between 3DES and DES?
To combat security breaches with Single DES, 3DES was developed. 3DES uses three independent key parts when performing the encryption algorithm. The 3DES algorithm uses either a 16-byte, "double-length key" (32 hex digit) or a 24-byte, "triple-length key" (48 hex digit) key. The encryption algorithm is run three times with the double or triple length key.
Are merchants required to upgrade to 3DES?
One of the most recent security upgrades mandated by Visa requires that all debit-capable, PINentry transaction devices be replaced and updated to comply with the Triple Data Encryption Standard (Triple DES, TDES or 3DES) by July 1st of 2010. 3DES better protects merchants against security breaches, as the encryption process includes additional number decryption and encryption combinations, making it more complicated for hackers to break.
Does this upgrade only affect Emporos merchants?
Visa is requiring all merchants be compliant by July 1, 2010. Visa is instructing its membership, the acquiring financial institutions and processors, to manage compliance upgrades of vendors, partners and customers. Your credit card processor may also notify you of these changes.
Who will fund the 3DES upgrade?
As this is a Visa mandated upgrade to meet 3DES compliance by July 1, 2010, merchants will be responsible for the costs associated. However, Emporos Support will be able to answer questions regarding a merchant's POS equipment, compatibility and the costs to upgrade.
Will 3DES require purchasing new equipment?
No, but it will require a merchant with a Single DES-capable payment terminal to either discontinue PIN-based debit or upgrade to a used 3DES injected terminal.
(Source: Chase Paymentech)
For more detailed information, see Visa's Cardholder Information Security Program.