Hello

based on statue that announces all deployed attended POS PIN acceptance devices must pass testing by a Payment Card Industry (PCI) recognised laboratory and have been approved … Does anybody have any further information about this ? Do you think that here is the possibility, that merchants will have to replace mentioned terminals with PCI certified pos ? Who is responsible for the lab tests, the manufacturer ?

Many thanks for your help and have a nice weekend.

Regards,

Martin

Go to the PCI SSC Web site at https://www.pcisecuritystandards.org/security_standards/ped/pcilaboratories.shtml for a list of the certified laboratories.

Yes, manufacturers of PIN Pad devices are responsible for obtaining PED certification of their devices.

The card brands and the PCI SSC have mandated the use of PED certified devices for quite a while, so this is nothing new. What is new is the requirement that unattended devices be PED certified by July 2010. We have a number of gas station and convenience store operators that are struggling with the cost of that requirement and are doing their best to comply. What is more interesting is how the financial institution industry will respond as there are a lot of ATMs out there that are not compliant with the latest PED standard.

With the severe downturn in the economy, it will be interesting to see if the Participating Organizations in the PCI SSC push for a delay.

The requirement is that all deployed devices must have been evaluated by an approved laboratory by 2010 - not that they are all PCI PED certified. It is acceptable to have devices in the field that are 'pre-PCI' certified; devices that fit into this catagory can be found on the visa PIN website.

The manufacturer is usually responsible for getting devices certified, but this can vary based on contractual arrangements. However, getting certified is not trivial, and (especially with PCI PED v2.x) it is unlikely that devices that have not been designed recently would be compliant.

There is no requirement for unattended devices to have been evaluated by PCI certified laboratories (or to contain an evaluated EPP). The requirement for unattended devices is for them to implement TDES for PIN encryption, and this mandate is not new.

It should also be noted that the overall requirements for unattended devices (Unattended Payment Terminals, or UPTs) has not yet been released as a final version - although it has been released as a draft for some time now. These requirements do not include ATMs - entirely different requirements will be released for these devices, but these standards have not yet been released even as a draft.

People interested in this can email me at andrew.jamieson [at] withamlabs.com (we are one of the PCI PED certified laboratories), and may be interested in the talk I am giving at the ATMIA conference in Sydney, Australia, next month.

AndrewJ, thanks for straightening me out. I'm not sure what I was thinking when I type up that response. I was obviously on a different path and got all bollixed up in the process. It's what happens to you when you get older.