Security Vulnerability within Ingenico Telium 2 Terminals (ipp320 pinpad)
Impacted Partners: Merchants using an Ingenico iPP320 terminal to process EMV or Card Swipe transactions through the Paya Connect Desktop application
Earlier this year, Paya issued a notification concerning a potential security vulnerability reported by Ingenico within the software of Telium 2 devices (iPP320) that could allow transaction data to be extracted from the terminal. At that point Paya began working jointly with Ingenico to integrate and test the software version patch that had been identified for remediation of the vulnerability.
In early August, Paya was notified by Ingenico that the initial software version patch was not included in their PCI PTS assessment and would cease to be on the list of compliant terminal versions as of November 2020. Ingenico has since identified a new version of RBA software that would include the vulnerability patch, and which would have the PCI compliance designation through 2024.
Paya is currently in the process of integrating this recent Ingenico software patch within all four integrations of the iPP320 devices being used by our customers and will thoroughly test that software in the development and production environments over the next month. We will work with Ingenico to jointly create the production builds of those four integration packages with the expectation that they will become available in mid-September.
Simultaneously, Paya is creating an app which can be downloaded from the Paya Connect Desktop install screen that will enable the Ingenico software patch to be downloaded to iPP320 devices in the field. We anticipate that plugin to be available to merchants in the late-September timeframe.
Partner Action Required:
Until the software patch is available in late-September, merchants should continue to maintain the appropriate level of security for the physical terminals within their possession in accordance with PCI standards.
- Only staff members with the need to operate the terminals should be allowed to access the devices
- Staff should inspect the devices to ensure that only a single cable is connected to the terminal and that cable is connected directly to the PC through which payments are processed
- Staff should inspect the cable from the terminal to ensure it does not have a splitter that enables the device to be connected to two PCs
If at any point, the merchant identifies suspicious connectivity between the terminal and a PC or experiences periodic disruptions in communication between the terminal and the PC, the device should be disconnected from the PC and replaced with another correctly cabled terminal.