Are all merchant terminals PCI compliant?

No. The PCI compliance standard requires, among other things, that merchants and processors encrypt card data and protect databases with firewalls and other anti-intrusion measures. They cannot be modified in the field. The only alternative is replacement.

Hypercom (Optimum T4100) and VeriFone (Omni VeriFone 3200 and 3750) have chip sets that are tamper-proof and resistant to hackers trying to extract out data such as PINs as they flow through the device.
Older terminals, INCLUDING MANY HYPERCOMS AND TRANZ 380’s, do not have such encryption.

The penalty for non-compliance with no data loss is minimal.
The penalty for non-compliance with data breach is $600,000 and up.

So while getting certification has been costly for manufacturers, and thus their customers, the cost for non-compliance is greater. Companies experience 17% customer churn after data breach vs 2-3% average churn.

8 thoughts on “Are all merchant terminals PCI compliant?

  1. I CONTINUE TO GET CALLS FROM NORTHERN LEASING. THEY TELL ME THAT MY VERIFONE OMNI 3200 IS NOT COMPLIANT. I CALL MY MERCHANT SERVICES AND THEY SAY THE MACHINE IS COMPLIANT. WHO IS CORRECT?

  2. It’s not a black and white answer.
    The Verifone omni 3200 H32413G software was discontinued 10/31/2008 for non compliance.
    The Verifone omni 3200 and 3200SE with H32P18R application is compliant. With my processors you cannot add new systems, but if you have an existing account, you can keep it. Your merchant services company would have a record of the software level you are using, Northern Leasing would not.
    Additionally, if you have a pinpad, it may not be compliant with 2010 standards. The 1000SE can be added to existing 3200’s to correct that problem. Our current price is $129, plus encryption $25 and shipping.

  3. HI Sharon,
    There are ‘conditions’ regarding equipment compliance so there is no straight answer. The primary conditions are:
    – Existing equipment, not changing processors. This matters because there are deadlines for replacing. Basically, in some cases you can keep a terminal longer at one processor, but you cannot board it on any new processor. This is a way to weed out the older terminals over time, without requiring every merchant to go out and buy a new one all at once.

    – PED- pin entry device- different than the terminal itself.

    – What processor you are connecting to. This shouldn’t matter. The terminal is either compliant or not, right? In reality, some processors will let you board terminals that are not compliant or are near ‘end of life’. This makes it harder to figure out if something is compliant because the processor doesn’t tell you. It shouldn’t happen, but it does.

    Links and Tips

    List of approved pin entry devices ie pinpad terminals short article about the subject, which also contains link to PCI Security Standards web site page

    PCI PED approved pinpad equipment list
    Links to PCI Security Standards web site page

    Check the manufacturer web site. You should be able to find the equipment you want to check listed on their site.

    I have a very large spreadsheet for different processors, including First Data and Chase Paymentech, that lists all the equipment that is PCI Compliant along with other conditions, including which platform a new merchant account can board the equipment on. For example, there is First Data Omaha, First Data location B, etc Most merchants don’t know the platform location- that’s normal. The spreadsheet is private data so I cannot share it. However, if you provide a specific make and model, I can try to answer your question.

  4. I have a “to the point” question, and am hoping for a “definitive” anwer.

    I have a Verifone Tranz 330 terminal which is used in my home/office only, by me only with all info typed in by my hand only. No customer cards (or other parties) are present. It is attached only to the phone line (doesn’t process thru a computer).

    I am now being told by my processor (TransFirst) that it is “out of compliance because it has no firewall” and “can no longer be supported”, as it could be “hacked”. They are stating that I “must upgrade immediately.”

    Is what they are saying true?…….and if possible explain how—-based on its present method and amount of use (card #’s processed on average 5-6 times per month)—–this terminal’s transactions could be hacked.

    (Note: I have been approached and received an attractive (lower rates/fees etc) from another processor who has said my terminal is OK for processing. Might they be lying, re the terminal, in order to get my business?)

  5. First, if that’s what they are telling you, then you must comply. They make the rules. By refusing to follow them, you would be in breach of contract and open to risk of having your merchant account closed or worse.

    Second, If you wanted to switch processors to one of my suppliers, you would not be able to open an account with that terminal. The major processors I work with will not allow new accounts to be boarded with that unit.

    Regarding your specific questions:
    “out of compliance because it has no firewall. I know that some units, but I don’t know for a fact if every unit, had this issue. I’d have to research but it’s a moot point as far as I’m concerned.

    Chase Paymentech decertified the unit from their PCI Compliance list effective 8/13/2010. This means that if there is an issue, there is no support and it must be replaced. First Data released a bulletin on the Tranz 330, 380, and 460, earlier this year that said it needed a software update to maintain compliance. It was identified as a unit with potential memory problems to support required changes including but not limited to partial approval, partial auth reversal, account balance responses, and balance inquiry. Additionally, units are to be default truncating card numbers and masking expiration dates must always be set to on. Can your unit do all that? Again, your processor is telling you there is a problem.

    Why is a unit is decertified? More than likely there is an imminent issue with security.
    Amount of use has no relevance to hacking. If a unit can be hacked, it is not PCI Compliant.

    If you key enter all your transactions, I wouldn’t even buy a new terminal. I recommend a virtual terminal. It’s always compliant and you have no hardware costs. If you’re processing $10,000 a month or more, contact me for more info. If you are processing just a few thousand, I suggest using Paypal’s virtual terminal. ( search my blog for more about this. )

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA *

This site uses Akismet to reduce spam. Learn how your comment data is processed.