‘Ask a QSA’ recently received the below question that we believe will be of interest to our readers. Client Engagement QSA, Natasja Bolton answers.
What does the removal of the PCI PTS v3.0 PIN Entry Devices from the Approved list to Expired, mean for our merchants?
On 1st April 2021, Visa issued a reminder that PCI PIN entry devices (PED) v3.0 security approval expires 30 April 2021.
This came as a timely reminder that back in March 2020 the PCI Security Standards Council extended the approval expiration date of PIN Transaction Security Point-of-Interaction (PTS POI) v3 devices from 30th April 2020 to 30th April 2021, in response to supply-chain disruptions related to the Coronavirus that delayed rollout of devices approved to PTS POI v4 or v5.
After 30th April 2021, the affected PCI PTS v3.0 devices will be removed from the approved POI devices list on the PCI SSC website and listed separately alongside the previously expired PTS v1 and PTS v2 devices here.
While the approval of PTS v3 PED devices does indeed expire on 30th April 2021, that approval expiry does not prohibit merchants from continuing to use v3 devices that they purchased before the expiry date.
The Visa PIN Security Program Guide makes it clear (in Appendix B) that PCI PTS v3 Approved Attended POS PIN Entry Devices (PEDs) and Encrypting PIN Pads (EPP) used in unattended POS or Kiosks cannot be purchased after the Approval Expiration Date but that devices already purchased and in use prior to the Approval Expiration Date can continue to be used until the Sunset Date: 31st December 2030.
Our clients’ compliance portals present hardware terminal picklists during the business profile stage of their compliance journey, this may a picklist utilising the full PCI PTS list of approved devices and / or a bespoke client-specific list of hardware devices.
Hardware terminal picklists created from the PCI list of approved PTS devices are regularly updated; therefore, merchants continuing to use their PCT PTS v3 devices after the April 2021 expiration date will find that their hardware terminal is no longer listed and will need to be manually added (if that function is available).
For clients offering their merchant a picklist of specific named devices, there may be no immediate need to change the picklist in response to the PTS v3 expiration. However, clients may wish to commence communicating with or notifying merchants using devices with expired PTS approval advising them to contact their terminal provider to migrate to an up to date device.
Sysnet recommend our Clients contact their Business Relationship Manager or Client Success Manager to discuss options to support communication with your merchants on migrating away from their PTS v3 devices.