Thousands Of PIN Pads Shut Down, But It’s Not A Breach

An East Coast supermarket chain opened for business on Dec. 8, only to find all of its payment terminals unresponsive — and it wasn’t alone. Last week, several thousand Hypercom payment card terminals at retailers across the country suddenly stopped working because of the expiration of a cryptographic certificate used in the devices, according to Krebs on Security.

The devices used a security certificate created in 2004 that had a 10-year expiry date, according to Equinox Payments in Scottsdale, Ariz., the company that now owns the Hypercom brand. The shutdown of the devices — the screens went completely blank — was triggered by power-cycling or rebooting the devices, which some retailers do daily.

“The security mechanism was triggered by the rollover of the date and not by any attack on or breach of the terminal,” said Stuart Taylor, VP of payment solutions at Equinox.

It’s not clear why the company didn’t warn merchants of the impending shutdown. But Hypercom was acquired by another major payment-terminal vendor, Verifone, in 2011, which spun off various parts as Spire Payments and Equinox. That may have made tracking older models less top-of-mind for the company.

One retailer whose terminals shut down said its technicians spent three days trying to restore the devices. “I use two different generations of their terminals and have spent the last three days trying to understand completely why I had zero impact,” a source at the retailer told blogger Brian Krebs. “Mass extinction of my POS devices at the manufacturer level was never on my list of scenarios that would wreck my day at retail. It is now.”