In the world of PCI Compliance, you typically hear a lot about payment software and the compliance status of the overall merchant environment. There is not as much said about the compliance of the equipment involved.
First a quick refresher on terminology. PTS and POI are the key aspects to know. Yes, we do seem to love our acronyms!
- POI stands for Point of Interaction. This is the payment device that “interacts” with the cardholder’s card (either from the magnetic stripe or EMV chip on the plastic card itself, or via a surrogate such as a smartphone or smartwatch). For devices that accepts PIN entry, the term PIN Entry Device (PED) is also sometimes used.
- POS stands for Point of Sale. This can include the entire suite of hardware and software used to process a transaction, including the POI but also other systems, such as a computer terminal, printer, cash drawer, etc. This term is commonly interchanged with POI, but this practice is discouraged as it can lead to ambiguity, since the security requirements for POI device are different from those related to accompanying systems.
- PTS stands for PIN Transaction Security. This standard confirms that approved devices have protections in place for PIN-based transactions. This family of standards includes POI device approvals, as well device standards for hardware security modules (HSMs) and key loading devices (KLDs), and the PIN security standard for processing entities. While protection of PIN is one of the primary functions of these standards, PTS also includes protections for cardholder data, keys, updates, and software where applicable. Version 6.0 of the PTS POI standard was just released this summer.
Card Brand vs. PCI Compliance
Of particular importance in discussion of PTS device expirations is the difference between PCI DSS compliance and card brand compliance. The Payment Card Industry Data Security Standard (PCI DSS) is maintained by the PCI Security Standards Council (SSC) and is adopted by the five major card brands as required to meet their respective data security program requirements. In addition, the card brands have operating rules, collectively referred to as card brand requirements, by which merchants are required to use certain types of devices (among many other risk and fraud-related requirements).
These two sets of compliance requirements are often confused, especially since the PCI SSC manages programs that touch on both sets of requirements. For instance, the PCI SSC manages the PCI DSS standard and QSA program, as well as the PTS standard, approved validation labs, and the online listing of approval statuses for PTS POI devices.
PTS v3.0 Expiration Announced, Then Delayed
In 2018, Visa had previously announced that PTS POI version 3.x devices would no longer be acceptable for new deployments after April, 2020. The PCI Security Standards Council (PCI SSC) has now matched this date for the Expired Approval of v3 devices. However, due to supply chain problems from COVID-19 both Visa and PCI SSC postponed each of their expiration dates by exactly one year.
This means that expiration date for PTS POI v3.x devices is now April 30, 2021, which is less than 6 months away!
Okay, but what does this expiration date or expired approval actually mean?
As noted above, the card brands set the expiration and sunset dates for devices approved to specific versions of PTS. The expiration date is the date after which no new deployments shall be performed, and merchants should plan to replace any such devices to improve the overall security of the merchant environment. One-for-one replacement of expired devices is allowable, due to troubleshooting or repair, however no new deployments of expired devices is allowed after this expiration date.
Similarly, PCI SSC maintains a listing of Approved PTS Devices, which includes the version of PTS under which the approval was received. Once a listing reaches its expiration date, the device is considered to have an Expired Approval, and is moved to the Devices with Expired Approvals list. For the PCI SSC, any device with an expired approval is no longer considered to be an PTS-approved POI device, as it is removed from the list of Approved PTS Devices.
Expiration dates and Expired Approvals should not be confused with sunset dates, which are the dates specified by the card brands by which all such devices must be replaced. No sunset date is currently set for PTS POI v3 devices, however effective December 31, 2020 all non-PCI PTS devices and PTS POI v1.x devices will have passed their sunset date and must discontinue use to avoid card brand non-compliance.
PCI DSS Compliance
When it comes to PCI DSS compliance, there is no hard requirement to use non-expired PTS devices. In fact, there is no requirement to use PTS devices at all – this is a card brand compliance requirement!
For merchants who must be compliant to PCI DSS, then, it is important to understand the role the PTS-approved POI devices play in the security of cardholder data, and how newer versions of PTS provide additional layers of security. Devices approved under the later versions of PTS are simply more secure and resilient to physical or electronic attack. With that in mind, PCI specifies that, while it may not be required under PCI DSS to replace expired PTS devices, it is highly recommended to prevent the latest attacks, and that merchants should check with the card brand or acquirer related to applicable card brand requirements.
SAQs
While a merchant using expired PTS devices may still be able to attain PCI DSS compliant, when it comes to completing the PCI-approved templates they may encounter a different difficulty. Even though the PTS version is not mentioned specifically in the self-assessment questionnaire (SAQ), the term “approved” is mentioned – and this is very important in terms of eligibility.
This is because the use of any SAQ is based on a merchant meeting specific eligibility criteria found at the beginning of the document, and for the SAQ B or SAQ B-IP these criteria specify that the device must be “approved”. For instance, the eligibility for SAQ B-IP states that requires the use of only “standalone, PTS-approved point-of-interaction (POI) devices”.
Effective this April, PCI SSC will be moving all PCI PTS version 3.x devices to the “expired approvals” list, therefore merchants who run these devices will no longer meet the strict eligibility requirements for these SAQs. Merchants who wish to use one of these SAQs should either update their devices, or consult with their acquirer or the payment brand about an exception to this requirement that would allow continued use of the SAQ, as described in PCI SSC FAQ 1464.
Merchants who continue to use version 3.x devices past the April deadline, and who have not received an acquirer exemption, should assess their environment using either the SAQ C or SAQ D (which do not contain this eligibility requirement) and consider each of the specified requirements for applicability to their environment.
P2PE
For merchants that use a PCI-validated point-to-point encryption (P2PE) solution, eligibility for completion of the SAQ P2PE is dependent not upon PTS approval, but approval of the device for use within their selected P2PE solution. Thus, it is possible for merchants under a valid P2PE solution to continue use of the expired PTS device if they are not in violation of card brand requirements by doing so.
Note, however, that the solution provider may be unable to continue support for expired devices if they do not meet P2PE program requirements, or otherwise choose to remove them from their listing. For instance, solution providers undergoing interim assessments or P2PE QSA re-validation may choose to validate and continue the listing of PTS 3.x devices after 4/2021 in support of their current merchant-base, or they may elect to remove these devices from their listing due to security risks, to conserve on support resources (since new clients will be unable to deploy these devices after that time), or supply-chain related issues as hardware vendors discontinue availability of these devices.
What should you be doing now?
Our first recommendation is to confirm whether you are running PTS POI v3.x (or earlier) devices, and if so, consult with your acquirer regarding whether any planned upgrades will impact your card brand or PCI compliance.
Next, you should schedule time now to speak with your POI vendors about availability of next-generation solutions with improved security and features, such as devices approved to PTS POI versions 4, 5 or 6. All things being equal, best practice would be to give preference to devices approved to the more recent versions of the standard. Since PTS POI version 6 was just released a few months ago, few devices have approved this approval designation, but the list is growing.
When considering compatibility, you must consider whether your POS systems support the latest devices, or whether the hardware manufacturer provides backwards compatibility to communications interfaces and standards to provide continued operation with legacy POS systems.
Finally, if you are not already running a validated point-to-point encryption (P2PE) solution, now is the best time to look at devices which are supported by one of 100+ P2PE solutions. Supported devices are shown under Solution Details for the desired solution. Before making a POI purchasing decision, however, you must consult with the solution provider to confirm compatibility, and follow the appropriate ordering process to ensure compliant configuration and installation to their solution requirements.
For more information on changes to the PCI Security Standards Council device approval listings, visit: https://blog.pcisecuritystandards.org/expiration-date-extended-for-pts-poi-v-3-devices
Information on Visa’s PIN Entry Device (PED) compliance requirements, dates, and definitions can be found here: https://usa.visa.com/content/dam/VCOM/global/partner-with-us/documents/visa-ped-requirments.pdf
-attack.png)
