This is page 2 of:
Toxic Waste: Old PIN Pads Never Die, But They Really Should
The third group includes untested and unapproved PEDs. These devices are the oldest and the main target of Visa’s mandate. Neither independently tested by a laboratory nor approved by either Visa or the PCI Council, Visa calls these “pre-PCI devices.” You may simply call them obsolete. If you have any of these PEDs, the sunset date to replace them is July 1 of this year.
In short, the Visa mandate means that after July 1, all your attended POS locations accepting PIN-based debit must use approved PEDs–those either on the Council’s list or at least on Visa’s list. If you have a choice, always go to the Council list; it is the most current. Using devices on this list will negate having to repeat this replacement exercise in a few years.
After you have replaced outdated PEDs, you have to address the issue of what to do with your old devices. My first piece of advice is, do not sell them on eBay. Instead, have them securely destroyed or shredded by a trusted commercial service.
Visa leaves you one out, but I advise you not to take it. If you still have some of these old devices in your stores, you could continue to use the card reader and accept only credit or signature debit. If you ignore my advice and keep these obsolete devices, you must do a couple of things. First, make sure the PED is disabled so it can no longer process a PIN. Then you have to implement internal controls to make sure you can’t transfer the device to another store where it will be used for PIN transactions.
I’m not a fan of this approach because it preserves these old, unsafe, noncompliant devices at your POS. Two days or two weeks or two months later, when you are not there, someone may turn the PIN functionality back on and leave your entire chain vulnerable to a breach. So, although retaining old PEDs is an option, it is not a smart one.
Strictly speaking, the Visa mandate applies to its acquirers. Failure to comply means the acquirer has increased risk and liability if there is a PIN compromise traced back to one of these obsolete PEDs. If you got your PEDs from your acquirer, don’t wait for that company to call you (which hopefully it has done already). Contact your acquirer directly and find out if your equipment has to be replaced soon or in 2014. If you got your POS equipment from an OEM or other third party, you are on your own to make sure you comply with the mandate.
A lot is happening in the PCI world in 2010 that will affect retailers of all sizes, including Visa’s PA-DSS mandate, the new PCI PIN Transaction Security and, of course, the revised PCI DSS itself–which will be effective in October. The PCI Council will be releasing documents over the summer.
All this reinforces the fact that PCI compliance is not a project; it is an ongoing process that merits your time and attention.
Do you still have old POS equipment? What are your plans to replace these PEDs? I’d like to hear your thoughts. Either leave a comment or E-mail me at wconway@403labs.com.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
