CAPK expired error messages on VeriFone EMV terminals

Looking for solutions to fix CAPK errors on credit card terminals? In 2016, 3D Merchant blog explained about CAPK expired error messages on VeriFone EMV terminals and how to fix them. With credit card terminal lifespans of about 5 years, primarily due to security enhancements, the answers are different in 2022. Computers cannot be upgraded at some point and neither can credit card terminals.

The old article referenced the VeriFone EMV Vx520, FD55, Vx510, Vx570, among other terminals. A later blog post explained Verifone PCI 3 End of Life Terminals, which includes those and others. Merchants using the related desktop terminals, which typically require a manual download from the merchant acquirer to update, are unlikely able to get new updates due to the end of life process.

Previously Visa extended the EMV Certification Authority Public Keys (CAPK) key’s expiration date from 12/31/2015 to 2022, which required a terminal software update. Chip cards contain the issuers private keys which need to be verified by the card issuer’s public keys during online authorization requests.  The keys come from the Certification Authority Public Keys (CAPK), and they expire periodically. Card readers reject transactions (decline) when an incorrect or expired CAPK is used. When a terminal reaches a certain point at end of life, they can’t be updated and the CAPK error is just another symptom of the current problem: it’s time to replace the credit card terminal.

VX520 emv NFC verifone terminal

CURRENT RECOMMENDATIONS:

  1. If you want to keep your current acquirer, and are interested in exploring technology solutions to enhance business operations, security and your customer experience, contact 3D Merchant Services for cloud technology solutions and compatible terminals. If your acquirer, refers you to 3D Merchant Services to solve your CAPK problem, this is how it will be done- equipment and processes WILL change. For 3D Merchant clients, the benefits far outweigh the cost to replace.
  2. If you want to keep your current acquirer and keep your equipment, only your current acquirer can help you resolve CAPK issue, if feasible. If you do not know how to reach your acquirer, a phone number is provided on your merchant statement.

How to identify if terminal is end of life?

  1. If it’s more than 5 years old, it almost certainly is. Look for date on the terminal.
  2. Look for PCI PTS version on the terminal.
  3. Call your acquirer.
  4. If your terminal uses PCI PTS, which is rquired certification for devices that accept pin code entry, 3.x (expired now) or 4.x (expires 2023), the time to plan for their replacement is NOW. Do not wait. The sources below are not that great because PCI web site now says to refer to manufacturers for research and limits which are listed on their web site.
  5. Google your “terminal name specifications”. A PDF spec sheet will have the PCI PTS version or their might be a sticker on the terminal with a date and or P
  6. Search for devices here on the Official PCI Security Standards web site https://www.pcisecuritystandards.org/assessors_and_solutions/pin_transaction_devices?agree=true
  7. On manufacturer web sites, look up the terminal security specifications. For example, this shows PCI PTS 4.x approved for the MX 915 currently for sale. https://www.verifone.com/en/us/devices/multilane/mx-915. PCI PTS 4.x expires in April 2023.
    COVID ALERT: Due to supply chain problems, terminals are nationally in short supply for all manufacturers. 3D Merchant Services offers equipment sales only to customers. All terminals ship direct from certified facilities and are billed by the recommended solutions provider.

Call Christine Speedy, 3D Merchant Services owner and Authorized Reseller. Call for simple solutions to payment transaction problems. 954-942-0483, 9-5 ET.

Ingenico ISC 250 PCI PTS v3 and v4 End of Life

Ingenico announced end of life for the ISC 250 with PCI PTS v3 and v4 in March of 2019. This has not stopped companies from selling them, however, due to the PCI PTS expiration in April 2021, merchants who use them would not be able to prove PCI compliance in the event of a data breach.

Did you know terminals have their own Payment Card Industry or PCI certification? The standards are part of the overall merchant requirements to maintain the security of cardholder data. Those rules change over time and a bunch of Ingenico equipment recently expired, including the popular ISC250 lane terminal.

Ingenico issued end of life notifications on their PCI PTS 3 range of payment devices in compliance with the PCI Security Standards Council PCI 3 expiration date of April 30, 2020, which was extended to April 30, 2021 due to Covid. Often merchants will get notifications like this from their acquirer on their merchant statement.

Which Ingenico terminals are impacted?

  • iSC Touch 480 PCI-PTS v3/4 model
  • iSC Touch 250 PCI-PTS v3/4 model
  • iPP320 PCI-PTS v4
  • iPP350 PCI-PTS v4
  • This list does not include all devices! Merchants should check with their providers especially if using a non-EMV device or if you were an early EMV chip adopter.
ingenico isc250 signature capture terminal
Ingenico isc250

What does End of Life mean?

(PCI) PIN Transaction Security (PTS) v3 expires April 30, 2021.

(PCI) PIN Transaction Security (PTS) v4 expires April 30, 2023.

PCI PTS v5 expires April 30, 2026.

Are merchants PCI Compliant if they continue to use PCI 3 terminals after April 2021? The PCI Council urges but does not mandate merchants use approved PTS devices in their payment environments. However, in our experience, between payment brand and acquirer requirements, merchants generally need to use only approved PTS devices or risk getting shut down. Research expiration dates of terminals on the PCI Council web site. I’d be concerned about liability and the ability to prove PCI compliance, especially in the event of a data breach. If security vulnerabilities or exploits are identified by processors after April 2021, and you’re using the terminals, who’s to say when or even if a solution could be found to fix it?

How disruptive would it be for your business to have to shut down using them and get another solution? There are always people who procrastinate making changes. And when something goes wrong, phone calls to processors explode, so change is usually not as swift as you’d like.

Note, only employees and PCI QIR certified individuals can install or touch your credit card terminals. Terminals are one of the most important factors determining rates you pay and chargeback risk. Why? Call now to learn more. This is the perfect time for an external account review by a payments expert.

TIP for Christine Speedy Ingenico ISC250 customers: If you were an early adopter and had your terminals deployed prior to the EMV chip liability shift in October 2015, there’s no need to check part numbers; They need to be replaced. Please contact me directly to consult on replacement options.

Call Christine Speedy , PCI QIR certified, for new PCI 5 terminals, technology review and or merchant account review to maximize profits and improve your customer experience. 954-942-0483, 9-5 ET

PCI Security Standards Council Extension of PCI PTS POI v3 Devices

PCI Security Standards Council Bulletin: Extension of Expiration of the Approval of PCI PTS POI v3 Devices, March 10, 2020.

Due to supply-chain disruptions related to the coronavirus, the PCI Council has extended the expiration date of PIN Transaction Security Point-of-Interaction (PTS POI) v3 devices from 30 April 2020 to 30 April 2021.

For those countries and entities not impacted by the coronavirus, we strongly encourage the deployment and use of next generation solutions such as devices approved to PTS POI v4 or v5 and migrating to POI v6 devices when the standard is released later this year.

On advisement from our industry stakeholders, the Council has determined the preventive controls to stop the spread of the coronavirus will impact previously planned rollouts of POI v3 devices. While recognizing that earlier versions of POI devices may be less robust in withstanding certain of the latest generations of attacks, we do not believe that this limited one-year extension of the approval expiry date for POI v3 devices will materially impact that risk.

The PCI SSC advises merchants, financial institutions, vendors and other users of PTS POI v3 devices, specifically v3 PEDs (PIN entry devices), non-PEDs, EPPs (encrypting PIN pads), UPTs (unattended payment terminal), and SCRs (Secure Card Readers) to contact their device vendors regarding the availability of more recently approved models to use as replacements and in new deployments. Effective 30 April 2021, the affected devices will be removed from the approved POI devices list on the PCI SSC website and listed separately here

Here are examples of credit card terminals with expiring PCI PTS 3.x April 30, 2021:

  • Vx525- Hardware #: M252-5xx-xx-xxx-3
  • Optimum M-5 (Verix)-

M465-x7x-xx-xxx-3
M465-x8x-xx-xxx-3
M465-x9x-xx-xxx-3

  • SCR-710, Mx760 SCR-

P090-719-30-RB
SUB090-004-01-A

  • FD55- M252-1xx-x3-FD1-3
  • VX 690, VX 690B

M260-x1x-xx-xxx-3
M260-x1x-xx-xxx-3B
M260-x1x-xx-xxx-3C
M260-x1x-xx-xxx-3D
M260-x5x-xx-xxx-3
M260-x5x-xx-xxx-3B
M260-x5x-xx-xxx-3C
M260-x5x-xx-xxx-3D

  • Vx600 Bluetooth/ MPM-100

M087-241-xx-xxx-3
M087-241-xx-xxx-3a
M087-251-xx-xxx-3
M087-251-xx-xxx-3a
M087-261-xx-xxx-3

  • Vx825

OP: 2.x.x
QT830017
QT830106
QT830109
QT830120
QT830240
QT830241
QT830245
QT830246.xxxxxxxx
QT830340
QTyy0400.xxxxxxxx
QTyy0500.xxxxxxxx
QTyy0530.xxxxxxxx
QTyy0540.xxxxxxxx
QTyy520.xxxxxxxx

  • Vx675 (VOS)

M266-x7x-xx-xxx-3
M266-x8x-xx-xxx-3
M266-x9x-xx-xxx-3

  • IWL220, IWL250- IWL2xx-01Txxxxx
  • IPP220, IPP280Hardware #: iPP2xx-01Txxxxx
  • ICT220, ICT250- Hardware #:iCT2xx-11Txxxxx
  • iCMP-

Hardware #: ICMxxx-01Txxxxx (Non CTLS) ICMxxx-11Txxxxx (CTLS)
ICMxxx-21Txxxxx
ICMxxx-31Txxxxx

  • Ingenico iSC 250 & TOUCH 250 Hardware #: iSC2xx-01Txxxxx

iSC2xx-21Txxxxx
iSC2xx-31Txxxxx

  • ISC Touch 480

Hardware #: ISC4xx-01Txxxxx (no CTLS)
ISC4xx-11Txxxxx (CTLS)

ISC4xx-01Txxxxx
ISC4xx-11Txxxxx

iPP310, iPP320, iPP350

FD130- Hardware #: T0PXXXXB1CXX4X

The Ingenico is a good example of varying PCI PTS within the same model. The Ingenico iSC TOUCH 250 PCI 4.0 Certified

For a complete list , click here https://www.pcisecuritystandards.org/assessors_and_solutions/pin_transaction_devices?agree=true PCI Security Standards Council (“PCI SSC”) LIST OF VALIDATED PRODUCTS AND SOLUTIONS

What happens if you continue using an expired terminal?

  • If there is a data breach, the cost of which typically exceeds $1 million, you’ll have no safe harbor because you used expired equipment.
  • Your acquirer could shut you down at any time. They know what type of equipment you have because when your account is established they create a communication connection (TID or terminal identification). It’s happened before. I picked up four new clients in one month that were all shut down by their processor for using outdated equipment and or software. There were left with no way to process at all and felt they should have been contacted to make a change before it happened.

Where can you buy a new terminal?

Buy one from Christine! Never buy a terminal on Ebay or any unknown source. Terminals should ship directly from an authorized entity that also does pin debit encryption. Never let a salesperson or any non-employee install your credit card terminal unless they are PCI Council QIR certified; Level 4 merchants are mandated to only use QIR individuals. The QIR designation belongs to individuals, not companies.

Disclaimer: This is not a comprehensive list and does not include add related data for individual products. Merchants should review current information at the PCI Council web site, pcisecuritystandards.org.

Call Christine Speedy, for all your merchant account, hardware and virtual terminal needs. 954-942-0483, 9-5 ET. Christine is Founder of 3D Merchant Services, PCI Council Qualfied Integrator Reseller (QIR), and is a credit card processing expert with specialized expertise in card not present and B2B payment processing technology. Less than 1% of all merchant services sales representatives are QIR certified. Christine is an authorized independent sales agent for a variety of merchant services and payment technology solutions.

Verifone PCI 3 End of Life Terminals

Did you know terminals have their own Payment Card Industry or PCI certification? The standards are part of the overall merchant requirements to maintain the security of cardholder data. Those rules change over time and a bunch of Verifone equipment is expiring, including the popular Vx520 countertop terminal and Vx820 pinpad.

Last August, Verifone issued end of life notification on their PCI 3 range of payment devices in compliance with the PCI Security Standards Council PCI 3 expiration date of April 30, 2020. Often merchants will get notifications like this from their acquirer on their merchant statement.

Which Verifone terminals are impacted?

  • Vx520, VX510, VX570
  • Vx805 – M280-703-0X-XXX-X
  • Vx820 pin pad
  • Vx675, Vx680, Vx685, Optimum M5
  • Mx915 (PN 132-XX…), Mx925 (PN 132-XX…)
  • H5000
  • This list does not include all devices! Merchants should check with their providers especially if using a non-EMV device or if you were an early EMV chip adopter.
  • verifone vx510

What does End of Life mean?

  • Final date for new terminal sales (fall 2019)
  • End of Development- Improvements or changes have stopped
  • End of Support Date- Verifone will not issue software updates after April 2020, except that, until April 2023 they will continue to provide error corrections for Severity 1 (Critical) software errors, including security vulnerabilities.
  • End of Service Date- April 2023. Verifone will honor any extended support contracts to their term. Subject to component availability and other factors, Verifone will also continue to provide repair.

(PCI) PIN Transaction Security (PTS) v4 expires April 30, 2023. PCI PTS v5 expires April 30, 2026.

Are merchants PCI Compliant if they continue to use PCI 3 terminals after April 2020? The PCI Council urges but does not mandate merchants use approved PTS devices in their payment environments. However, in our experience, between payment brand and acquirer requirements, merchants generally need to use only approved PTS devices or risk getting shut down. Research expiration dates of terminals on the PCI Council web site. I’d be concerned about liability and the ability to prove PCI compliance, especially in the event of a data breach. Verifone will not issue software updates or provide development support after April 2020. If security vulnerabilities or exploits are identified by the processors after April 2020, and you’re using the terminals, who’s to say when or even if a solution could be found to fix it?

How disruptive would it be for your business to have to shut down using them and get another solution? There are always people who procrastinate making changes. And when something goes wrong, phone calls to processors explode, so change is usually not as swift as you’d like.

Note, only employees and PCI QIR certified individuals can install or touch your credit card terminals. Terminals are one of the most important factors determining rates you pay and chargeback risk. Why? Call now to learn more. This is the perfect time for an external account review by a payments expert.

TIP for Christine Speedy Verifone Mx915 customers: If you have a part number that starts with this “PN 132”, replace the terminal. If you were an early adopter and had your terminals deployed prior to the EMV chip liability shift in October 2015, there’s no need to check part numbers; They need to be replaced. Please contact me directly to consult on replacement options.

Call Christine Speedy , PCI QIR certified, for new PCI 5 terminals, technology review and or merchant account review to maximize profits and improve your customer experience. 954-942-0483, 9-5 ET

Verifone VX terminal reboot: urgent update

All Verifone VX terminals must be updated by June 25, 2019 or merchants risk problems where the terminal is stuck in a reboot and cannot accept credit cards. Verifone posted an advisory on their support web site June 3. Hopefully owners will be notified by their acquirers before they have hard failure. The VX series is very popular so it could be problematic if many thousands of VX terminal owners try and download the update at the same time.

Action is required for all customers using VX (all VX) or e-Series Devices (limited to e315, e315m and e355) on any version of CommServer prior to 544 or 5441 who have not downloaded the recovery utility. This action is for both customers who have successfully recovered their devices from a reboot loop, those who may be in a reboot loop, and those that did not experience issues at all on or around May 25, 2019. Read the entire alert on the Verifone support web page here.

The advisory impacts all Verifone VX terminals, so per my search, that would include the VX 520, VX 680, VX 805, and VX 670. Are you in need of a new or replacement terminal?

The Christine Speedy difference. Find out what terminal is best for your credit card processing situation. Call someone who knows the rules and can help you optimize for the lowest interchange rate qualification. Terminal choice matters! B2B expert. 954-942-0483, 9-5 ET.