Ingenico ISC 250 PCI PTS v3 and v4 End of Life

Ingenico announced end of life for the ISC 250 with PCI PTS v3 and v4 in March of 2019. This has not stopped companies from selling them, however, due to the PCI PTS expiration in April 2021, merchants who use them would not be able to prove PCI compliance in the event of a data breach.

Did you know terminals have their own Payment Card Industry or PCI certification? The standards are part of the overall merchant requirements to maintain the security of cardholder data. Those rules change over time and a bunch of Ingenico equipment recently expired, including the popular ISC250 lane terminal.

Ingenico issued end of life notifications on their PCI PTS 3 range of payment devices in compliance with the PCI Security Standards Council PCI 3 expiration date of April 30, 2020, which was extended to April 30, 2021 due to Covid. Often merchants will get notifications like this from their acquirer on their merchant statement.

Which Ingenico terminals are impacted?

  • iSC Touch 480 PCI-PTS v3/4 model
  • iSC Touch 250 PCI-PTS v3/4 model
  • iPP320 PCI-PTS v4
  • iPP350 PCI-PTS v4
  • This list does not include all devices! Merchants should check with their providers especially if using a non-EMV device or if you were an early EMV chip adopter.
ingenico isc250 signature capture terminal
Ingenico isc250

What does End of Life mean?

(PCI) PIN Transaction Security (PTS) v3 expires April 30, 2021.

(PCI) PIN Transaction Security (PTS) v4 expires April 30, 2023.

PCI PTS v5 expires April 30, 2026.

Are merchants PCI Compliant if they continue to use PCI 3 terminals after April 2021? The PCI Council urges but does not mandate merchants use approved PTS devices in their payment environments. However, in our experience, between payment brand and acquirer requirements, merchants generally need to use only approved PTS devices or risk getting shut down. Research expiration dates of terminals on the PCI Council web site. I’d be concerned about liability and the ability to prove PCI compliance, especially in the event of a data breach. If security vulnerabilities or exploits are identified by processors after April 2021, and you’re using the terminals, who’s to say when or even if a solution could be found to fix it?

How disruptive would it be for your business to have to shut down using them and get another solution? There are always people who procrastinate making changes. And when something goes wrong, phone calls to processors explode, so change is usually not as swift as you’d like.

Note, only employees and PCI QIR certified individuals can install or touch your credit card terminals. Terminals are one of the most important factors determining rates you pay and chargeback risk. Why? Call now to learn more. This is the perfect time for an external account review by a payments expert.

TIP for Christine Speedy Ingenico ISC250 customers: If you were an early adopter and had your terminals deployed prior to the EMV chip liability shift in October 2015, there’s no need to check part numbers; They need to be replaced. Please contact me directly to consult on replacement options.

Call Christine Speedy , PCI QIR certified, for new PCI 5 terminals, technology review and or merchant account review to maximize profits and improve your customer experience. 954-942-0483, 9-5 ET

PCI Security Standards Council Extension of PCI PTS POI v3 Devices

PCI Security Standards Council Bulletin: Extension of Expiration of the Approval of PCI PTS POI v3 Devices, March 10, 2020.

Due to supply-chain disruptions related to the coronavirus, the PCI Council has extended the expiration date of PIN Transaction Security Point-of-Interaction (PTS POI) v3 devices from 30 April 2020 to 30 April 2021.

For those countries and entities not impacted by the coronavirus, we strongly encourage the deployment and use of next generation solutions such as devices approved to PTS POI v4 or v5 and migrating to POI v6 devices when the standard is released later this year.

On advisement from our industry stakeholders, the Council has determined the preventive controls to stop the spread of the coronavirus will impact previously planned rollouts of POI v3 devices. While recognizing that earlier versions of POI devices may be less robust in withstanding certain of the latest generations of attacks, we do not believe that this limited one-year extension of the approval expiry date for POI v3 devices will materially impact that risk.

The PCI SSC advises merchants, financial institutions, vendors and other users of PTS POI v3 devices, specifically v3 PEDs (PIN entry devices), non-PEDs, EPPs (encrypting PIN pads), UPTs (unattended payment terminal), and SCRs (Secure Card Readers) to contact their device vendors regarding the availability of more recently approved models to use as replacements and in new deployments. Effective 30 April 2021, the affected devices will be removed from the approved POI devices list on the PCI SSC website and listed separately here

Here are examples of credit card terminals with expiring PCI PTS 3.x April 30, 2021:

  • Vx525- Hardware #: M252-5xx-xx-xxx-3
  • Optimum M-5 (Verix)-

M465-x7x-xx-xxx-3
M465-x8x-xx-xxx-3
M465-x9x-xx-xxx-3

  • SCR-710, Mx760 SCR-

P090-719-30-RB
SUB090-004-01-A

  • FD55- M252-1xx-x3-FD1-3
  • VX 690, VX 690B

M260-x1x-xx-xxx-3
M260-x1x-xx-xxx-3B
M260-x1x-xx-xxx-3C
M260-x1x-xx-xxx-3D
M260-x5x-xx-xxx-3
M260-x5x-xx-xxx-3B
M260-x5x-xx-xxx-3C
M260-x5x-xx-xxx-3D

  • Vx600 Bluetooth/ MPM-100

M087-241-xx-xxx-3
M087-241-xx-xxx-3a
M087-251-xx-xxx-3
M087-251-xx-xxx-3a
M087-261-xx-xxx-3

  • Vx825

OP: 2.x.x
QT830017
QT830106
QT830109
QT830120
QT830240
QT830241
QT830245
QT830246.xxxxxxxx
QT830340
QTyy0400.xxxxxxxx
QTyy0500.xxxxxxxx
QTyy0530.xxxxxxxx
QTyy0540.xxxxxxxx
QTyy520.xxxxxxxx

  • Vx675 (VOS)

M266-x7x-xx-xxx-3
M266-x8x-xx-xxx-3
M266-x9x-xx-xxx-3

  • IWL220, IWL250- IWL2xx-01Txxxxx
  • IPP220, IPP280Hardware #: iPP2xx-01Txxxxx
  • ICT220, ICT250- Hardware #:iCT2xx-11Txxxxx
  • iCMP-

Hardware #: ICMxxx-01Txxxxx (Non CTLS) ICMxxx-11Txxxxx (CTLS)
ICMxxx-21Txxxxx
ICMxxx-31Txxxxx

  • Ingenico iSC 250 & TOUCH 250 Hardware #: iSC2xx-01Txxxxx

iSC2xx-21Txxxxx
iSC2xx-31Txxxxx

  • ISC Touch 480

Hardware #: ISC4xx-01Txxxxx (no CTLS)
ISC4xx-11Txxxxx (CTLS)

ISC4xx-01Txxxxx
ISC4xx-11Txxxxx

iPP310, iPP320, iPP350

FD130- Hardware #: T0PXXXXB1CXX4X

The Ingenico is a good example of varying PCI PTS within the same model. The Ingenico iSC TOUCH 250 PCI 4.0 Certified

For a complete list , click here https://www.pcisecuritystandards.org/assessors_and_solutions/pin_transaction_devices?agree=true PCI Security Standards Council (“PCI SSC”) LIST OF VALIDATED PRODUCTS AND SOLUTIONS

What happens if you continue using an expired terminal?

  • If there is a data breach, the cost of which typically exceeds $1 million, you’ll have no safe harbor because you used expired equipment.
  • Your acquirer could shut you down at any time. They know what type of equipment you have because when your account is established they create a communication connection (TID or terminal identification). It’s happened before. I picked up four new clients in one month that were all shut down by their processor for using outdated equipment and or software. There were left with no way to process at all and felt they should have been contacted to make a change before it happened.

Where can you buy a new terminal?

Buy one from Christine! Never buy a terminal on Ebay or any unknown source. Terminals should ship directly from an authorized entity that also does pin debit encryption. Never let a salesperson or any non-employee install your credit card terminal unless they are PCI Council QIR certified; Level 4 merchants are mandated to only use QIR individuals. The QIR designation belongs to individuals, not companies.

Disclaimer: This is not a comprehensive list and does not include add related data for individual products. Merchants should review current information at the PCI Council web site, pcisecuritystandards.org.

Call Christine Speedy, for all your merchant account, hardware and virtual terminal needs. 954-942-0483, 9-5 ET. Christine is Founder of 3D Merchant Services, PCI Council Qualfied Integrator Reseller (QIR), and is a credit card processing expert with specialized expertise in card not present and B2B payment processing technology. Less than 1% of all merchant services sales representatives are QIR certified. Christine is an authorized independent sales agent for a variety of merchant services and payment technology solutions.

Verifone PCI 3 End of Life Terminals

Did you know terminals have their own Payment Card Industry or PCI certification? The standards are part of the overall merchant requirements to maintain the security of cardholder data. Those rules change over time and a bunch of Verifone equipment is expiring, including the popular Vx520 countertop terminal and Vx820 pinpad.

Last August, Verifone issued end of life notification on their PCI 3 range of payment devices in compliance with the PCI Security Standards Council PCI 3 expiration date of April 30, 2020. Often merchants will get notifications like this from their acquirer on their merchant statement.

Which Verifone terminals are impacted?

  • Vx520, VX510, VX570
  • Vx805 – M280-703-0X-XXX-X
  • Vx820 pin pad
  • Vx675, Vx680, Vx685, Optimum M5
  • Mx915 (PN 132-XX…), Mx925 (PN 132-XX…)
  • H5000
  • This list does not include all devices! Merchants should check with their providers especially if using a non-EMV device or if you were an early EMV chip adopter.
  • verifone vx510

What does End of Life mean?

  • Final date for new terminal sales (fall 2019)
  • End of Development- Improvements or changes have stopped
  • End of Support Date- Verifone will not issue software updates after April 2020, except that, until April 2023 they will continue to provide error corrections for Severity 1 (Critical) software errors, including security vulnerabilities.
  • End of Service Date- April 2023. Verifone will honor any extended support contracts to their term. Subject to component availability and other factors, Verifone will also continue to provide repair.

(PCI) PIN Transaction Security (PTS) v4 expires April 30, 2023. PCI PTS v5 expires April 30, 2026.

Are merchants PCI Compliant if they continue to use PCI 3 terminals after April 2020? The PCI Council urges but does not mandate merchants use approved PTS devices in their payment environments. However, in our experience, between payment brand and acquirer requirements, merchants generally need to use only approved PTS devices or risk getting shut down. Research expiration dates of terminals on the PCI Council web site. I’d be concerned about liability and the ability to prove PCI compliance, especially in the event of a data breach. Verifone will not issue software updates or provide development support after April 2020. If security vulnerabilities or exploits are identified by the processors after April 2020, and you’re using the terminals, who’s to say when or even if a solution could be found to fix it?

How disruptive would it be for your business to have to shut down using them and get another solution? There are always people who procrastinate making changes. And when something goes wrong, phone calls to processors explode, so change is usually not as swift as you’d like.

Note, only employees and PCI QIR certified individuals can install or touch your credit card terminals. Terminals are one of the most important factors determining rates you pay and chargeback risk. Why? Call now to learn more. This is the perfect time for an external account review by a payments expert.

TIP for Christine Speedy Verifone Mx915 customers: If you have a part number that starts with this “PN 132”, replace the terminal. If you were an early adopter and had your terminals deployed prior to the EMV chip liability shift in October 2015, there’s no need to check part numbers; They need to be replaced. Please contact me directly to consult on replacement options.

Call Christine Speedy , PCI QIR certified, for new PCI 5 terminals, technology review and or merchant account review to maximize profits and improve your customer experience. 954-942-0483, 9-5 ET

Verifone VX terminal reboot: urgent update

All Verifone VX terminals must be updated by June 25, 2019 or merchants risk problems where the terminal is stuck in a reboot and cannot accept credit cards. Verifone posted an advisory on their support web site June 3. Hopefully owners will be notified by their acquirers before they have hard failure. The VX series is very popular so it could be problematic if many thousands of VX terminal owners try and download the update at the same time.

Action is required for all customers using VX (all VX) or e-Series Devices (limited to e315, e315m and e355) on any version of CommServer prior to 544 or 5441 who have not downloaded the recovery utility. This action is for both customers who have successfully recovered their devices from a reboot loop, those who may be in a reboot loop, and those that did not experience issues at all on or around May 25, 2019. Read the entire alert on the Verifone support web page here.

The advisory impacts all Verifone VX terminals, so per my search, that would include the VX 520, VX 680, VX 805, and VX 670. Are you in need of a new or replacement terminal?

The Christine Speedy difference. Find out what terminal is best for your credit card processing situation. Call someone who knows the rules and can help you optimize for the lowest interchange rate qualification. Terminal choice matters! B2B expert. 954-942-0483, 9-5 ET.

Microsoft Dynamics AX ERP Verifone EMV Connector

Want to accept EMV chip cards with a Verifone MX 915 in your Microsoft Dynamics AX ERP? Ask me about best alternative to Payware for B2B and B2G sales. No Retail MPOS is needed. With our module you’ll be live in no time with all the protections you need to maximize profits, mitigating fraud risk and reducing merchant fees with your existing merchant account.

All transaction types are supported for all your sales channels, and you can accept payments via free text invoices, CRM and more.

The Christine Speedy difference. PCI compliance is important to mitigate data breach risk, but equally important is compliance with complicated card network rules. Have you read any of the 1,000+ pages of Visa Rules? Or 300+ Mastercard transaction processing rules? Have any of the people you rely on? I’ve spent countless hours educating myself on them and learning about the nuances that impact your profit and risk. Technology directly impacts compliance. It doesn’t matter how big or how old a company is; the reality is most players in the payments industry fall behind with every new rule that comes out, even though these rules are usually announced years in advance so that they can prepare. Call 954-942-0483, 9-5 ET for expert advice about all things payments for Microsoft Dynamics AX and D365.