12
Dec 14

‘Security by Antiquity’ Bricks Payment Terminals

Last week, several thousand credit card payment terminals at various retailers across the country suddenly stopped working, their LCD displays showing blank screens instead of numbers and letters. Puzzled merchants began to worry that this was perhaps part of some sophisticated hacker attack on their cash registers. It turns out that the incident was indeed security-related, but for once it had nothing to do with cyber thieves.

Hypercom L4250 payment terminal.

Hypercom L4250 payment terminal.

On Dec. 7, 2014, certain older model payment terminals made by Hypercom stopped working due to the expiration of a cryptographic certificate used in the devices, according to Scottsdale, Ariz.-based Equinox Payments, the company that owns the Hypercom brand.

“The security mechanism was triggered by the rollover of the date and not by any attack on or breach of the terminal,” said Stuart Taylor, vice president of payment solutions at Equinox. “The certificate was created in 2004 with a 10 year expiry date.”

Taylor said Equinox is now working with customers, distributors and channel partners to replace the certificate to return terminals to an operational state. The company is pointing affected customers who still need assistance to this certificate expiry help page.

“Many of these terminals have been successfully updated in the field,” Taylor said. “Unfortunately, a subset of them can’t be fixed in the field which means they’ll need to be sent to our repair facility.  We are working with our customers and distribution partners to track down where these terminals are and will provide whatever assistance we can to minimize any disruption as a result of this matter.”

According to two different merchants impacted by the incident that reached out to KrebsOnSecurity, the bricking of these payment terminals occurs only after the affected devices (in the 4x version of the terminals) are power-cycled or rebooted, which some merchants do daily.

Michael Rochette, vice president at Spencer Technologies, a Northborough, Mass.-based technology installation and support company, said his firm heard last week from an East Coast supermarket chain that opened for business on Monday morning only to find all of their payment terminals unresponsive. Rochette said that the supermarket chain and other retailers impacted by the incident across the country were immediately worried that the incident was part of a hacker attack on their payment infrastructure.

“Not all stores power cycle overnight, but for those that do, they came up all blank and inoperative,” Rochette said. “If that’s something that a retail chain does as a matter of policy across a whole chain of stores, that can be pretty damaging.”

One retailer that contacted KrebsOnSecurity but asked to remain anonymous said technicians at its locations had spent three days trying without success to restore the devices.

“I use two different generations of their terminals and have spent the last three days trying to understand completely why I had zero impact,” a reader from the retailer said. “Mass extinction of my POS devices at the manufacturer level was never on my list of scenarios that would wreck my day at retail.  It is now.”

While designing your products so that they fail after 10 years seems like a less than brilliant idea, this incident is a reminder of just how much of the payments infrastructure in the United States relies on rapidly aging technology.

According to Rochette, at least one of the affected Hypercom devices is no longer allowed to be used in retail installations after 2014, per sunset provisions set out by the PCI Council, an industry group that sets security standards for payment systems. Other Hypercom models affected by this incident are perfectly acceptable to use for years to come.

As for why Equinox failed to warn its customers of the impending meltdown of these payment terminals? Rochette posits that it might have something to do with Hypercom’s rocky corporate history.

“I’ve never seen this before where a particular product all crashed on the same day, and as far as I can tell there was no advance warning about this from Equinox,” Rochette said. “Over the last few years, they were Hypercom, then part of Equinox, then part of Verifone for a while, so I suspect there’s been a lot of turnover in personnel there, and frankly they just lost sight of the fact that they had a pretty important expiration date coming.”

Tags: , , , , , ,

68 comments

  1. Shouldn’t “impacted by the breach” read “impacted by the problem”?

  2. Paul, yes it should, and it actually does. I changed that in the copy before I published, but an earlier version of the story made it up to the site.

  3. I love the use of the phrase “Mass extinction….” Well, it’s time to replace those terminals with chip card readers anyways.

    • Change “chip card” to “NFC” and I’m with you. NFC allows payment methods like Apple Pay, which leave no personally identifiable information, not even name or card number, with the merchant – which is how it ought to be. No PII, no PII breaches.

      • Sunman42 – How do we use NFC in the growing avenues of electronic and mobile commerce where there is no NFC receiver? NFC is a solution aimed at physical presence only transactions more common to the last century and not the future. There is a better way.

        Jonathan @nc3mobi

        NFC has its own problems with security. see
        http://nc3.mobi/references/nfc/

        • Jaffe,

          It should be noted that many of the terminals do not have the NFC because the merchants have not upgraded the POS system.
          Come October 2015 when the liability shift occurs, these POS will have to be upgraded to meet the EMV chips and will come with NFC terminal built in.

          The problem you provided in the attached takes a very sophisticated hacker hanging around the store to get that information unless the company skimp on setting up the system on the cheap and the employees will notice a person standing around.

          That is why the NFC is for short distance, 2 cm at the most to conduct the transaction and it is shut off the minute they are locked. Who can remember the RFID commercial when the guy was buying his stuff and walking out of the store using the that technology without coming up to the cashier and people think he was stealing it. As a matter of fact, Apple considered such system(Bluetooth LE) but abandoned it in favor of NFC. I, for one, won’t consider it because of possible hacking preferring to actually coming up to the register.

          • James Edwards –

            A “very sophisticated hacker”? I’ll simply say that what was sophisticated a few years ago is much more commonplace today. It does not have to be a person standing around, it can be a device someone surreptitiously placed in a concealed location, say under the checkout scanner. 2cm ranges are with standard equipment. Crooks are not limited by standards. How about an NFC range 45 times greater, say 90+cm? (36″) available at
            http://flomio.com/shop/nfc-readers/nfc-patch-kit/

            In either case – you wrote the newer EMV terminals will be NFC capable. Some will, some won’t, but that isn’t the question. Will NFC devices be EMV capable? How do the benefits of EMV in physical presence transactions get the chip into a smartphone with NFC?

            NFC (like EMV) does even less in non-physical presence transactions.

            We need a better solution

            Jonathan @nc3mobi

            (Your name sounds familiar. Do you wear black suits, drive jet cars and deal with extraterrestrials? If so, what do they use for transaction security?)

          • James Edwards

            You wrote “NFC is for short distance, 2 cm at the most”. That appears to be short by an order of magnitude. Zero is what is used for tap-and-pay, but the limit has its basis in physics.

            Should be 20cm, about 7.87″, per
            http://physics.stackexchange.com/questions/44037/why-is-near-field-communication-nfc-range-limited-to-about-20cm

            Jonathan @nc3mobi

          • The problem is not someone “hanging around” the store. Or even being in the store. An NFC/RFID card can be read, with suitably sensitive equipment, up to a range of around three feet. So your card can be read while it’s still in your wallet or purse. Places such as shopping malls, lines where people are waiting, etc are all targets. For this reason, the one NFC/RFID card I have never leaves the house.

            It’s not necessary to get an actual EMV chip into a smartphone, as Apple Pay has just demonstrated. The transaction uses “tokenization” (developed by EMV) so that your card number is not part of the transaction. In its place is a numeric token that looks exactly like a credit card number but isn’t the number of any actual card (details too long to describe here).

            Most new POS terminals are including NFC but that isn’t required for the October 2015. Industry reports suggest that the rate is 95% or higher.

            The other side of that question is interesting – will new NFC cards include EMV in the exchange, or work in the same way they do today? I don’t know that answer and would be interested to know. I believe that this is how it works in Europe.

  4. Normally, I would rail against the lack of foresight. But frankly, given how rapidly things change, setting your devices to expire on their certificate in 10 years was a good idea. -IF- that was then followed up with a warning in year 8 and 9 that you have X,Y,Z steps to follow to update your device for the next 10 years.

    Finding out that you had your devices set to commit seppuku only after the fact, that’s definitely setting the idea back to the other end of the idea spectrum.

    • Silemess – Ritual suicide is a matter of honor. This was a matter of ignorance or apathy. Actually it sounds like the worst part of Y2K, devices failing at a known time in the future.

      Didn’t failed auto-updates send back a message saying “I’m OK!” or meaning it didn’t work? Oh, someone would have to monitor those responses, or lack thereof, and notify the owners their machines need to be replaced. Imagine the niceness when a box shows up at a merchant with a note “Here is a new machine because your old one is about to croak. Please put that one in here and send it back to us. Postage already paid. Our customer __is__ important to us!”

      Imagine if this was an internet connected self-updating, self-driving automobile in the future that did updates at noon, died, and stranded millions away from home. GAK!

      Maybe self-bricking scenarios should be disclosed at purchase? How many billions were there in lost sales when consumers couldn’t use their plastic? Is there a warranty with these units? Some lawyer is salivating at the opportunity!

      Jonathan @nc3mobi

      • Jonathan E. Jaffe – I’ve got to say that I agree with the points you made. Y2K was a good example of unintentional fail at an obvious fixed future point that I should have thought about.

        When I wrote that, I was busy imagining the nice path that you illustrated; of someone actually working to maintain the machine.

        Instead, I suspect that your grimmer future of self-bricking “features” would be far more likely to pass, with or without notice to the consumer. Let us hope this does not become a trend.

        • Silemess – thanks for the kind words. As for sending the consumer a notice … excuse me while I fall to the floor laughing. Good customer service costs (so does bad cs) and it takes a pew long behind profit sitting at #1. Examples abound – just look at airlines. The simple existence of a product like KneeGuard tells you airlines are not serving their customers. If they were, then no one would make such a product, let alone be happy at the sales volume. Preventing problems (the ounce) is generally better than the cure (the pound) which is how I came to a potential solution for charge card information theft, making the prize valueless to crooks. No reward means little motivation and a win without a fight. We consumers don’t have to suffer for the security failures of others.

          Have a happy, prosperous and WARM holiday season.

          Jonathan @nc3mobi

          • What was the potential solution you came to regarding charge card information theft?

            • Josh Gold – see http://www.NC3.mobi

              The quickest overview is 10 slides or less link at the bottom of the home page.

              Jonathan @nc3mobi

              • Is this NC3 concept implemented in Apple Pay? At least partially? I was under impression that Apple Pay does not transfer any confidential information, but is a one-time unique transaction.

                • Josh Gold – I did a detailed reply about noon Central. Has not appeared here yet. I’ll wait until tomorrow.

                  Jonathan @nc3mobi

                • Josh Gold – the message I just sent just appeared. Maybe the earlier reply simply vanished. Has happened before. Here it is again.

                  Josh Gold – I am restricted in what I can say. NC3 is NOT in any existing system. The material in the public NC3.mobi web site shows that NC3 operates in all avenues of commerce including physical presence, electronic (connected by internet) presence, mobile (when not connected to the internet), non-presence (think paying from a paper or electronic invoice without requiring internet access) and person-to-person.

                  NC3 can also provide increased functionality including exact or Not-To-Exceed authorizations (do you really know what you got charged?), SemiAuto Gratuity Calculator, Coupons, Automatic Affiliation Code Locker (dual modes and meets the needs of MCX merchants), authorized recurring payments (with multi frequency and value restrictions), VoiceAssist (for visually impaired), PreOrder Functionality, VoiceCommand, and much more. See http://nc3.mobi/how-it-works/examples-main/ Last: NC3 does not require merchants to invest in expensive NFC or EMV readers and, in physical presence mode, does not use any form of communications found in the EM spectrum.

                  If you want to communicate more, please use the email address at the bottom of each page at NC3.mobi so we don’t tie up the KOS web site.

                  Jonathan @nc3mobi

                • Josh Gold – no idea why the post isn’t appearing. Maybe I used a forbidden word? Your reply is at the URL below which will stay on line for a few days.

                  http://nc3.mobi/joshgold/

                  Have a happy, safe and warm holiday season.

                  Jonathan @nc3mobi

                • Apple Pay does not use the scheme described here but something similar. At the heart is “tokenization” – developed by EMV – that uses a “token” instead of your actual card number. The token is formatted exactly the same as a real card number but isn’t a number that is ever on an actual card.

                  But since it looks exactly like one, merchants can process the Apple Pay transaction in exactly the same way as standard NFC and it “just works”. That’s because the payment processor (Visa, or whoever) does the lookup from the token to your card number, and the transaction that goes to your bank has that actual number.

                  There is also a crypto signature that guards against forgery, tampering or replay of the transaction.

    • Silemess –

      I put something in angle brackets and the software deleted it. The line should read

      “I’m OK!” or (NoMessage) meaning it didn’t work.

      Sorry about that.

      Jonathan @nc3mobi

    • Certificates should never have a 10 year life – they become vulnerable after a much shorter period of time. Manufacturers need to build in mechanisms (including automated solutions) for updating certificates much more frequently. While there is an operational cost of more frequent updates, we’ve already seen what happens when these kids of systems are breached, and those costs are much higher. CISO’s and security teams who buy from manufacturers need to demand high security.

  5. Brian, You are providing a great service to the World keeping everyone abreast of current IT security concerns. As one of the software engineers that help built the Internet in the late 70’s, we never imagined that it would be used as it is today. We were very innocent and naive back then. Keep up the good work!!!

  6. I’m surprised these terminals lasted ten years in field service. They must not have had the heavy usage that we see in the larger stores.

    The fact that older equipment is still in use parallels with the use of old software. Lots of danger if you don’t update in a strategic manner.

    • I support a large POS system, with more than 3,000 of these pin pads. We have a lot of very heavy usage, and these have lasted very well.

      About 6 years ago, after having another critical internal security certificate expire and cause problems. I did a complete research of all our systems, documenting all of the interfaces and security certs.

      I evn contacted Hypercom/Symbol to see what security certificates were in use internal to the pin pads. Still have the letter that I provide to the PCI Auditors that says “There are no security certificates used exclusively within the Hypercom/Symbol pin pads”.

      Well, I guess that is another item to put up on my dart wall.

    • Note that the devcies don’t need to be in the field for 10 years. They could be brand new devices with fresh up-to-date software.

      It is just that the certificate was first used in late 2004, and just never updated. Newer software (fully updated etc) just kept using the old certificate.

      • Notice you only learn that the cert. is expired when they’re rebooted, so this mess will continue to go on for some time as power or related hardware failures hit them.

        This also means those not rebooted will be using an expired cert. in the interim.

        Clusterfsck.

        • And while I get the rationale for a 10 year certificate in 2004, nowadays that would be insane. Regardless of Chip/Pin or mag stripe, certs on POS devices need to have a much shorter shelf life (like less than a year) given that POS is squarely in the crosshairs of any retail malicious operation. The difficulty of more frequently rotating and renewing these shorter life certificates is no longer a valid excuse for using long life certificates in this threat climate.

          • Was going to say similar to Paul.

            In one area we’ve opted for annual certificates primarily so people don’t forget the process of issuing and renewing.

  7. One would think that the retailers and banks would have a vested interest to throw money at this problem to update the antiquated credit card system. I don’t understand all the ins and outs of the credit card system from beginning to end, but one would think with the tens of millions of dollars is losses for each bank and retailer involved, that a new systems could have been out already. As an example Target would grant money to Visa/Mastercard and other involved to get the ball rolling on a new system/equipment. This looks like Target cares about security AND would be better than spending tens of millions on clean up and lawsuits.

  8. Hopefully the next software update fixes the certificate check – it shouldn’t require a reboot for the system to notice an expired (or revoked) certificate!

    • Since the terminal shouldn’t be connected to the Internet, I would expect any revoked certificate checking be done to a server controlled by the retailer.

      • Don’t most payment terminals use the Internet to process transactions these days? I still see the ‘dial in via phone’ terminals occasionally but far less frequently.

  9. The term I love is “bricking.” Never had heard it before, but within the context, it had perfect, if not poetic, meaning! As always, thanks, Brian!

  10. Dr. Zackary Smith

    Okay a flash ROM on the internal PC board has to be updated, is this real a security issue here? Oh the pain the pain ….

  11. Gah!
    “Impacted,” really? I hate that verbification. Can’t you just say “hit?”

    Less a matter of opinion, though, is the lead ‘graph:

    “LCD displays showing a blank screens”

    Can you please fix that one?

  12. Real World Reality: I suspect in the USA the most popular machine is the Hypercom T7P-F Card Reader / Printer, or something very similar, available used for around $50-$70 dollars. I once had one like this 20 years ago in a business I owned that was required by law to accept credit cards. Many small companies and operations will not be able to afford the extra cost of new chip readers, simple because of the cost or perhaps their small volume.

    • Squareup readers cost $10, charge 2.9%, no monthly fees (for the most part, unless you’re doing six figures or more a month) clear funds in 2 days and connect to tablets and smartphones.

      They also have APIs allowing clients to securely pull the sales data into back office systems.

      Soon Squareup will have a version that accepts apple pay, for a little more money.

      When my wife opened a company checking account for her business, the Bank of America CSR tried to sell her on BofA’s credit card services. When she mentioned Squareup, the CSR just sighed and said “I hear that a lot lately”.

      Why pay $30/month or more plus fees to a payment processor for a merchant account with a crappy hackable terminal?

      if a business is that feeble, maybe it needs to stop selling buggy whips

      • Concerning Buggy Whips and such. In my instance, noted in my original post above, the type of business I was involved with was mandated by law to accept both Visa and MasterCard and also to accept major Debt Cards. Probably a somewhat rare situation. Our least desirable clients were the ones that often used such convenience. Our best clients were billed once a month or if paying more often paid upon receipt, or soon thereafter, of invoice.

        As for Buggy Whips, since I am now living in rural Missouri, I and my neighbors find them somewhat useful. They are very handy in getting the neighbors errant Bull, Horse, Child and sometimes Wife back into their proper pasture.

        I stand behind my original statement that the cost of and acclimation to newer CC Terminal technology will be a hindrance to many smaller businesses.

  13. Not exactly confidence building that Hypercom doesn’t know its equipment. This reminds me of the Y2K issue without in this case, a warning. I recently found out that some printers like Cannon have obsolesce built in their logic boards based on usage and run time, about five years, that disable them so they have to be returned for refurbishment or replaced. This Hypercom bug serves the same purpose.

  14. Typo: a blank screens ?

  15. My pinpads are still dead and my point of sale vendor says they have no idea how to fix it…

    At lease now I know what’s going on but no one is giving me a solution to the problem

  16. C’mon Brian… Tell us SOMEBODY knew this would happen, tell us they just forgot to send the email or that somebody didn’t think it was important enough or too late to warn retailers…

  17. Aren’t we still on target for *nix type systems to have a Y2K whoops in 2020? With all the embedded items out there I’d think that was just as bad as the Y2K scare…

    • Actually, the Unix bug wasn’t for 2020, it was for 2032 and was fixed years ago.

      • Actually that’s 2038. And I wouldn’t say that it has been fixed at all.

        Newer systems and 64-bit systems are fine, but as we all know there are all kinds of older and embedded systems in use that could be in service for decades to come..

        • This already affects SSL certs with very long expirations created with 32 bit software by people trying to avoid problems like the OP.

  18. Check Venafi out. We could have helped avoid this problem.

    https://www.venafi.com/

  19. This type of thing doesn’t surprise me all that much. With devices that old, the engineers have all moved on – either to other products or other jobs, and nobody is thinking about this old thing that they used to sell. So nobody ever thought about the possibility of something like an expired certificate. But it really wouldn’t be that hard for the company to have set one up in a test lab to see what kinds of issues arise as the years roll by..

    I can’t help but wonder if they are using an older SSL protocol which is now considered to be obsolete and insecure..

  20. Power cycled mine this week. Has been tough on our processing. It takes 75 telephone keystrokes to process a credit card sale over the phone! I had one day turnaround insurance for my machine but will be waiting many more than that. Only good part is I am saving credit card fees on sales that are now cash or check.

    Heard today also that Bob Wards Chain in Montana all went down as well.

  21. Kind of sucks that it happened during the Christmas rush.

  22. A couple of things to note.
    Equinox doesn’t say if this was a payment network key, or an acquiring bank key that expired or one of their own certificates (code signing, etc).

    If it was a payment system key (unused EMV, perhaps), then the behavior may have been required, per device certification. Although checking for expiry only on startup is a defect to be fixed. Really? Certificates expire on a specific day. Why wouldn’t you check at least once a day? These terminals can’t have ‘something better to do’ that would pre-empt a configurable daily time (in addition to being mandatory on startup).

    If it was vendor expired cert, then the vendor has some serious PKI operations problems to resolve. My hunch is that the company failed to value/retain it’s employees’ experience and institutional knowledge, and now they are paying the price.

    It could also be an expiring key for the merchant’s acquiring bank. In which case, shame on the acquirer for doing real damage to their customer, and their key management team dropped the ball here.

  23. I work for a retailer that has been affected by the ‘outage’ and can tell you that Equinox (or whatever they want to call themselves now) certainly did not make this an easy fix. There are over 400 stores in our company, and not a single store was able to fix the terminal on site. Stores went 4-5 days with no credit card terminals due to communication failures on their end. Each day we were told a fix was coming down, which did not work. Finally we were told that we would have to ship the terminal back (on our expense) and they would ship one back when they received the non-working terminal. To me, that’s horrible business. They had an issue with their own software that cost businesses tens of thousands of dollars in lost sales, and then turned around and made them pay for shipping and to wait even longer for a terminal. What’s wrong with shipping out a new one to replace it, and then allowing the vendor to return the ‘old’ one?

    • Mike – whenever you see a situation that makes no sense at all from your point of view, step back a bit and ask Cui Bono? To whom the good? Who benefits? Why? A restricted case is presented by a Watergate era phrase – Follow the Money.

      So, why would a company, facing a public relations disaster, deliberately slow the shipping pace of replacement units? One possible answer: they don’t have enough replacement units on hand to meet the need. The burdensome requirements mask the company’s lack of capability.

      What should they have done? In an ideal world they should meet the needs of their customers and cross ship new (or at least functional) units. Send good ones first and let the customer ship the old one back in the same container (pre-paid eco-shipping in volume, cheap compared to losses).

      Absent some evidence of good intent and actions, many customers will remember bad experiences far longer than any good experience. When contracts come due, this company will be in a poor position to win renewal and a new vendor will have an edge. I would look for another vendor to make some offer (ex: “Screwed by (company name)? Contact us and we’ll get you 10, 100, 500 units overnight.” ) to grow their share of the market.

      Considering the lost sales are real damages the terminal owners might have a business interruption insurance claim. If so, those terminal owners have an obligation to mitigate their damages and subrogate their litigation rights to the insurance company that pays their claim. Few companies have better attorneys (or at least more of them) than insurance companies and they will have economies of scale when they represent multiple customers affected by bad service.

      Jonathan @nc3mobi

  24. Is it REALLY so hard to code a displayed useful message on these things rather than just going blank leaving people wondering what in the world is the problem?

    Super easy: ‘CERTIFICATE FAIL’ (or heck, even ‘CERT FAIL’) would give people an enormously better idea of what is the problem than a useless blank screen!

  25. So how do I get this fixed? The help page looks to be down.

  26. “The security mechanism was triggered by the rollover of the date and not by any attack on or breach of the terminal”

    Damn you father time!

    • Don’t blame this on “time.” This is entirely the fault of a human programmer who failed to understand what he should have taken the time and effort to understand. Simple human laziness, in other words. You can get it right, or you can get it wrong, and they chose (for whatever reason) the latter.

      Now, innocent customers, hard working business people just trying to make a living, are paying the price for someone else’s failure, and will be for some time.

      • *Note – I wasn’t actually blaming this on “time”… I was commenting on the statement from equinox.

  27. Now I understand what was up when I went grocery shopping Sunday. The store had a couple of lines (out of 20) that could run debit card transactions. Self checkout was cash only and all the other lines were credit card only (they had a different machine for this). I guess the working readers were newer models.

  28. I ran into a merchant (gas station) that was experiencing this issue on the counter top reader not too long ago. I handed my card to the clerk for processing on the integrated reader built into the screen of their POS (I should have known better). A couple of days ago I received a message from my card issuer that suspicious charges were hitting my card (outside the US). A new card is being issued.

    Tracing my usage back in time (I hardly ever use the card) I can see how this malware may have been used to force clerks to fallback to a more vulnerable magstripe reader they might have as a backup on the POS where a keylogger is waiting!

  29. Hey guys, i just considered important to Share this with you (please share):

    <>:

    The old Hypercom L4150 and 4250 Series product design uses a cryptographic certificate structure to manage device and associated software authenticity in order to provide a secure payment architecture and comply with PCI SSC requirements. Each of the cryptographic certificates has an expiry date that was set when the certificate was created.

    From our analysis thus far, it appears that Hypercom initially set the lifetime of some certificates to 10 years. That 10-year period appears to have expired this past weekend. When the terminal boots, the certificate expiry date is checked against the current date/time that is running in the hardware real-time clock. If the date is later than the certificate expiry date, the boot process halts and does not load the main application. Some devices will emit a number of beeps as a diagnostic to indicate the failure.

    At this point in time, we have determined that the best approach is to re-sign the application software with a new certificate that has an extended expiry date. This re-signed application must then be loaded into the affected devices.

    ** Please note: All FPEs have either a 8MG or 16 MG versions; typically, most clients will use the 8MG versions. All L4250s need to use the 8MG versions of FPE.
    The new certificates will not expire until 2029 well beyond any expected sunset dates from PCI.

    Finally – This is an evolving process and situation and we will continue to provide updates and statements via our FTP site (found below).

    RESOLUTION STEPS –

    1. To update units in the field – XP Windows’s machine with RS232 port and cable are required. (Additionally, if running Windows 7 – we have a program that acts as a XP virtual machine on the Window 7 device available on our FTP site – approx. size of the program is 3 Gigabytes and will be located in folder: VMWARE.
    2. FTP SITE:
    https://ftp1.equinoxpayments.com/human.aspx?r=2095005669&Arg12=filelist&Arg06=151923178
    USER: epmluser
    PW: Eqx2014$ftp
    a. All updates are available via our FTP site. (See log in credentials above). The site has updated FPE applications with updated certificates to download as well as Windows 7 VM.
    b. Software loading instructions can be found on FTP Site in folder named: “INSTRUCTIONS” – File name: Hypercom Software Loading v*.pdf.

    Alternatively – a user can request an RMA for Equinox to update the device or send the unit to an authorized repair facility. This service will be provided at no cost beyond shipping cost to and from the facility.

    Steps for returning a unit to Equinox for updating –

    1. Request RMA number at: RMAREQUESTS@EQUINOXPAYMENTS.COM.
    2. Turn-around time is estimated to be five business days from date of receipt.

    FAQ –

    What units are affected? Only some L4XXXs and T41XXs. The L5XXX and the T42XXs are not affected by this occurrence.

    Is the above fix available for the L4100 and T4100s? – At this time, we have had very limited success updating certificates on the L4100 given the age/technology available on the devices. With that said, it should be noted that the L4100s and T4100s are mandated by PCI to be removed from the field by the end of 2014, will need to be replaced with newer model hardware such as the L5200 and L5300s. However, if necessary, Equinox will attempt to update the devices via the RMA process but cannot guarantee units will be returned before the end of the year. For the T4100s we are attempting various resolutions and hope to have further information shortly.

    Where can I get the updated applications?
    Equinox has the above referenced FTP site, which has all updated FPE files along with the Window 7 solution to emulate the XP environment.

    I don’t know what version of FPE we are using and the device will not boot to provide information. What are my options?
    Equinox recommends installing the latest version of FPE, which is FPE 5.P.131. Please note – we strongly suggest testing this method on a small sample of units to verify validity before proceeding with entire population. If this resolution does not work, the units will need to come into either Equinox or one of our Authorized Repair Facilities for updating.

    What about our forms and debit keys?
    From what we have seen thus far on L4150 and L4250s, forms have remained intact and previously loaded keys in these units should not be affected by loading these re-signed versions.

    RS232 Cables – how do I obtain one?
    To construct a cable using readily available components, please refer to the FTP site – Utility Folder for a wiring diagram. Alternatively, Equinox will supply RS232 Cables to clients at no charge. Please place your order for the cable using Part Number: 810341-001 – RS232 Cable. Please email order requests to: fulfillment@equinoxpayments.com. Orders will be processed and ship overnight.

  30. Who should have seen this coming? I maintain that the list includes Equinox, the vendors who placed the terminals, the acquirers, and the companies who purchased the terminals.

    Every properly designed PKI (Public Key Infrastructure) has a Certificate Policy document and a Certificate Practice Statement. These are public documents and should be available to all of the above. The Private Keys are secret, the policies and procedures are not. These documents tell how the certificates are created and how they should be refreshed. More importantly, they specify a schedule for review and update of these documents. Everyone named above should have reviewed these documents. Apparently no one did.