PCI Security Standards Council Bulletin: Extension of Expiration of the Approval of PCI PTS POI v3 Devices, March 10, 2020.
Due to supply-chain disruptions related to the coronavirus, the PCI Council has extended the expiration date of PIN Transaction Security Point-of-Interaction (PTS POI) v3 devices from 30 April 2020 to 30 April 2021.
For those countries and entities not impacted by the coronavirus, we strongly encourage the deployment and use of next generation solutions such as devices approved to PTS POI v4 or v5 and migrating to POI v6 devices when the standard is released later this year.
On advisement from our industry stakeholders, the Council has determined the preventive controls to stop the spread of the coronavirus will impact previously planned rollouts of POI v3 devices. While recognizing that earlier versions of POI devices may be less robust in withstanding certain of the latest generations of attacks, we do not believe that this limited one-year extension of the approval expiry date for POI v3 devices will materially impact that risk.
The PCI SSC advises merchants, financial institutions, vendors and other users of PTS POI v3 devices, specifically v3 PEDs (PIN entry devices), non-PEDs, EPPs (encrypting PIN pads), UPTs (unattended payment terminal), and SCRs (Secure Card Readers) to contact their device vendors regarding the availability of more recently approved models to use as replacements and in new deployments. Effective 30 April 2021, the affected devices will be removed from the approved POI devices list on the PCI SSC website and listed separately here
Here are examples of credit card terminals with expiring PCI PTS 3.x April 30, 2021:
- Vx525- Hardware #: M252-5xx-xx-xxx-3
- Optimum M-5 (Verix)-
M465-x7x-xx-xxx-3
M465-x8x-xx-xxx-3
M465-x9x-xx-xxx-3
P090-719-30-RB
SUB090-004-01-A
- FD55- M252-1xx-x3-FD1-3
- VX 690, VX 690B
M260-x1x-xx-xxx-3
M260-x1x-xx-xxx-3B
M260-x1x-xx-xxx-3C
M260-x1x-xx-xxx-3D
M260-x5x-xx-xxx-3
M260-x5x-xx-xxx-3B
M260-x5x-xx-xxx-3C
M260-x5x-xx-xxx-3D
M087-241-xx-xxx-3
M087-241-xx-xxx-3a
M087-251-xx-xxx-3
M087-251-xx-xxx-3a
M087-261-xx-xxx-3
OP: 2.x.x
QT830017
QT830106
QT830109
QT830120
QT830240
QT830241
QT830245
QT830246.xxxxxxxx
QT830340
QTyy0400.xxxxxxxx
QTyy0500.xxxxxxxx
QTyy0530.xxxxxxxx
QTyy0540.xxxxxxxx
QTyy520.xxxxxxxx
M266-x7x-xx-xxx-3
M266-x8x-xx-xxx-3
M266-x9x-xx-xxx-3
- IWL220, IWL250- IWL2xx-01Txxxxx
- IPP220, IPP280– Hardware #: iPP2xx-01Txxxxx
- ICT220, ICT250- Hardware #:iCT2xx-11Txxxxx
- iCMP-
Hardware #: ICMxxx-01Txxxxx (Non CTLS) ICMxxx-11Txxxxx (CTLS)
ICMxxx-21Txxxxx
ICMxxx-31Txxxxx
- Ingenico iSC 250 & TOUCH 250 Hardware #: iSC2xx-01Txxxxx
iSC2xx-21Txxxxx
iSC2xx-31Txxxxx
Hardware #: ISC4xx-01Txxxxx (no CTLS)
ISC4xx-11Txxxxx (CTLS)
ISC4xx-01Txxxxx
ISC4xx-11Txxxxx
iPP310, iPP320, iPP350
FD130- Hardware #: T0PXXXXB1CXX4X
The Ingenico is a good example of varying PCI PTS within the same model. The Ingenico iSC TOUCH 250 PCI 4.0 Certified
For a complete list , click here https://www.pcisecuritystandards.org/assessors_and_solutions/pin_transaction_devices?agree=true PCI Security Standards Council (“PCI SSC”) LIST OF VALIDATED PRODUCTS AND SOLUTIONS
What happens if you continue using an expired terminal?
- If there is a data breach, the cost of which typically exceeds $1 million, you’ll have no safe harbor because you used expired equipment.
- Your acquirer could shut you down at any time. They know what type of equipment you have because when your account is established they create a communication connection (TID or terminal identification). It’s happened before. I picked up four new clients in one month that were all shut down by their processor for using outdated equipment and or software. There were left with no way to process at all and felt they should have been contacted to make a change before it happened.
Where can you buy a new terminal?
Buy one from Christine! Never buy a terminal on Ebay or any unknown source. Terminals should ship directly from an authorized entity that also does pin debit encryption. Never let a salesperson or any non-employee install your credit card terminal unless they are PCI Council QIR certified; Level 4 merchants are mandated to only use QIR individuals. The QIR designation belongs to individuals, not companies.
Disclaimer: This is not a comprehensive list and does not include add related data for individual products. Merchants should review current information at the PCI Council web site, pcisecuritystandards.org.
Call Christine Speedy, for all your merchant account, hardware and virtual terminal needs. 954-942-0483, 9-5 ET. Christine is Founder of 3D Merchant Services, PCI Council Qualfied Integrator Reseller (QIR), and is a credit card processing expert with specialized expertise in card not present and B2B payment processing technology. Less than 1% of all merchant services sales representatives are QIR certified. Christine is an authorized independent sales agent for a variety of merchant services and payment technology solutions.