Point of Sale Pin Entry Device (PED) Triple DES 2010 update

To clarify the 2010 Debit Pin Entry Device standard merchants are expected to comply with by July 2010, not all merchants will need to change their pinpads. If you deployed a POS PED by December 31, 2007 AND it was on the 2004-2007 Visa PCI lab approved list, you have until December 31, 2014 to replace it.

If you do not meet that requirement, then you’ll need to replace your PED by July 1, 2010 with a unit that meets the new Triple Data Encryption Standard (TDES) standard. Look carefully. There are companies that will sell you units that do not comply with the new standard.

POS- Point Of Sale

PED – Pin Entry Device

POS PED- a device in a merchant location where the customer is present at the time of the transaction.

Pinpad – pin pad- another name for PED

Triple DES- Triple Data Encryption Standard

3DES – same as above

OVERVIEW OF THE 2010 PCI COMPLIANCE RULE FOR DEBIT PIN ENTRY DEVICES:

The new standard is to improve the security of customer debit cards. The technology has been widely implemented over a number of years in ATM’s and such, and merchant pinpads are the last piece to complete.

DEADLINES:

July 1, 2010 If your unit was deployed after 12/31/2007 and it does not have Triple DES encryption, then you need to replace it. Any unit deployed prior to 2004 needs to be replaced.

12/31/2014 If you deployed a POS PED by December 31, 2007 AND  it was on the 2004-2007 Visa PCI lab approved list, then you must replace with a PCI SSC POS PED by this date.

When you deployed your PED is a matter of record with your current service provider. Where is a copy of the 2004-2007 Visa PCI lab approved list? https://partnernetwork.visa.com/vpn/global/category.do?userRegion=1&categoryId=19&documentId=33

HOW DO I VERIFY IF I HAVE A PCI COMPLIANT PED?

The PCI Data Security Standards Council has an updated list for all merchant providers. List of PCI compliant PEDs

WHICH NEW PIN ENTRY DEVICE DO YOU RECOMMEND?

First, make sure the unit has Triple Data Encryption Standard (TDES) certification. Just because someone is selling it, doesn’t mean it’s TDES. The PED must be matched to your terminal and the merchant services provider. You can’t just pick any unit and attach it. A hugely popular unit is the

First Data FD-10 debit pin pad fd 10 debit ped pinpad

because First Data is one of the largest payment processors in the country. Many merchant providers utilize the First Data system, therefore can use the unit. Additionally, it works with many different desktop terminals.

If you need to upgrade, now is the time to look at your entire system. Do you need a PED or would you be better off with a signature capture terminal that has an integrated PED? You can get a wireless, desktop or, or even a device that connects to a host based system like CenPOS that provides incredible benefits for organizations processing $1 million per month and up.  Take a look at the Ingenico i6580, a top of the line unit.

signature capture terminal ingenico i6580 i6550

In summary, I like units that have in integrated Debit PED over a separate device that attaches. Oh, and this is another area that you have to be very careful reading product description text. Some product technical descriptions say they accept debit cards but they are not referring to accepting pin debit transactions! As if merchants don’t have enough to get confused about.

All debit PED’s must be encrypted. This is done via a process called an injection. There are a limited number of facilities in the USA that can perform the injection. That means you should not wait until the last minute because a lot of other people will.

3D Merchant Services is an authorized reseller for current equipment ONLY for major brands including Verifone, Hypercom, and Ingenico. We also offer Nurit, Way and other brands. Because of our high volume, we have wholesale prices compared to others. We’re independent- you can use our credit card processing or not. We don’t give free equipment- you’ll get a better deal on your processing and your equipment if you keep the transactions separate. Equipment is never really free.

Related article:

Which Verifone pin entry devices are pci compliant?

3D Merchant Services Powered by CenPOS
2633 NE 26th Ave Metro South FloridaFL33064 USA 
 • 954-942-0483

Which Verifone pin entry devices are pci complaint?

There are various levels of PCI Compliance that merchants should be aware of when purchasing new Verifone pin pads or checking the status of older ones. Pin entry devices are also known as pin-pads, and are used for pin-debit credit card transactions. We get a lot of calls asking to board products that a merchant already owns. That’s OK as long as it meets current guidelines. The chart below is a helpful guide to products that meet current and future requirements.

PIN ENTRY DEVICES VFI 1000SE VFI Omni 7000 VFI SC5000 VFI EverestPlus 3DES Hypercom P1300 Hypercom S9
SECURITY COMPLIANCE / ENCRYPTION
DES Encryption X X X X X X
Triple DES Encryption
X X X X X X
PCI PED Compliant X

If your unit is not one of these devices, please visit the manufacturer web site to see if there are newer models. If you have an older model not listed here, you’ll need to replace it by July 1, 2010.

Many pin pads cost $75 to $100 new. These must be encrypted and matched for compatibility to whatever your main unit is. For security reasons, there are very few locations in the country with the rights to encrypt. These encryption centers do not deal direct with the merchant, but throuh resellers.

What are Visa’s requirements for implementing Triple DES?
PIN Entry Device TDES Capability Requirements:
• Effective 01 January 2003, all newly deployed ATMs (including replacement devices) must support
TDES.
• Effective 01 January 2004, all newly deployed POS PIN acceptance devices (including replacement
devices) must support TDES.
• Effective 1 July 2010, Cardholder PINs must be TDES encrypted from all Points-of-Transaction to the Issuer.  However, each Visa Region’s TDES dates will supersede the global TDES date whenever the Visa Region’s  date precedes the global date.
Note:  “Must support” means the device has all the necessary hardware and software required for TDES
installed and only requires the loading of a TDES key.