Toxic Waste: Old PIN Pads Never Die, But They Really Should
Written by Walter ConwayA 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.
Do you accept PIN-based debit cards at your stores? Have you been accepting these PIN transactions for more than, say, six years? Lastly, are you aware that the first Visa-mandated sunset date for your old PIN Entry Devices (PEDs) is July 1, 2010? If you are like most major retailers, you will answer “yes” the first two questions, but you might answer “no” to the last question. If that is the case, you are taking on increased risk and liability from these old PIN devices.
POS equipment, including PEDs, can last a long time. Older stores or POS locations that have not been upgraded may still have equipment that increases the risk of a data compromise. Therefore, retailers with locations or equipment over eight years old should check each of their PEDs against the currently approved lists.
Identifying which PEDs to replace may not be easy. If you get the equipment from your acquirer, call them. Unfortunately, many retailers purchase POS equipment from OEMs or resellers. If this describes your situation, you will need to check with the vendor to see how it complies with this mandate.
Maintaining PCI compliance requires an ongoing commitment. If you view it as a project with a beginning and an end, you are likely to either fall out of compliance in the year between assessments or miss an important update from the PCI Council or a mandate from one of the card brands.
Visa’s PED mandate is a good example of something that would be easy for a retailer to miss–in part because it is somewhat obscure, but mainly because it is complicated.
You can think of PEDs as falling into one of three groups. The first includes all PCI-approved PEDs. These PEDs have been tested according to PCI requirements and validated by an independent laboratory. You can find more information and a link to the list of these devices here. Interestingly, it doesn’t matter which version of PCI PED was used in the testing. The good news is that if the device passed, you can use it. The better news is these PEDs have no current replacement (or sunset) dates.
The second group of PEDs includes those approved by Visa in the pre-PCI days, between about 2002 and 2004. During this time Visa approved a number of PEDs, which are listed on its Web site. If you have any of these PEDs in your retail stores, you have until Dec. 31, 2014, to replace them. In effect, the approval for these devices is expiring, but you have a few years to replace them. When you do replace these PEDs, make sure to get PCI-approved versions.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
