I'm trying to get my mind around the 3TDES mandates, PCI DSS 1.2, and the segregation of dusties between the PCI SSC and the brands. I'm going to make a few statements articulating what I THINK is accurate. If I am wrong on an issue, would someone please step in and correct me?

This is based on cross-reference of information available at the PCI SSC and Visa websites:

The PCI SSC now owns the PED standards, which are the technicals of what a PIN Entry Device must adhere to.

Visa (and other brands) retain ownership of the PIN, and they must approve the labs, which in turn use the PED standards to approve PED's submitted by the manufacturers.

From a merchant's perspective, the following dates are at play:

1-1-03 All newly deployed ATMs or cash-dispensing POS systems must be 3TDES capable.
1-1-04 All newly deployed POS PED's must support 3TDES.
1-1-10 All installed attended POS PEDs at Visa members or their agents must be approved by Visa. No requirement exists to replace ATM or unattended PIN acceptance devices.
7-1-10 All POS PED must be approved by a Visa approved lab. (By default this will push 3TDES to all PED's?)

No more pre-PCI PED's should be in use, but the new version of PCI DSS 1.2 does not use the word PED anywhere in the document. This leads me to think that one could be using expired PEDs and pass the PCI annual validation, but the PED standards will be a separate channel of compliance managed by the Acquiring Banks.

There is no date at this time mandating unattended POS devices (such as automated fuel dispensers) be converted to 3TDES, but the requirement that Visa approve PED's going in after 1-1-10 will (from a practical perspective) begin a process of attrition that causes all new installations to be a 3TDES capable model.

Anything glaring in there?

You are mostly correct (sorry I have not answered before now, I missed this post). Some corrections:

PCI SSC approves the PED labs, as they do the QSAs and ASVs. PED lab contracts are with PCI SSC, not the card brands.

PCI SSC also approves PEDs, based on reports submitted by the labs. Card schemes then set mandates for when they want devices accepting their PINs must be approved by PCI.

Visa and MasterCard require that all PED device deployed from January this year must be PCI PED certified. Deployment of 'pre-PCI' (read Visa PED) certified devices is no longer acceptable, although specific card brands have specific rules around what happens if you have stock piles of non PCI PEDs awaiting deployment that you have already purchased.

Visa and MasterCard also require that next year all PEDs in the field must be either PCI PED certified, or 'pre-PCI' certified. That is, they must have been tested by a Visa approved lab. You are correct that this will ensure that all devices will be _capable_ of supporting 3DES, but it does not ensure that they are all _implementing_ 3DES.

Visa require that all devices (unattended and attended, including fuel dispensers) must be implementing 3DES as of next year. See page 17 of http://usa.visa.com/download/merchants/pin_security_and_automated_fuel_dispensers.pdf

You are correct that there is nothing in PCI DSS that talks about what type of PED you are using (although if you are not using 3DES for PIN encryption, this is a problem for PCI DSS compliance). This is covered in the PCI PIN audit that acquirers must undergo each year.

You may be interested in this presentation, which covers the standards and what they are (pitched at ATMs specifically, but most of the information is generic):

http://www.withamlabs.com/images/presentations/pci_and_atms_v1_1.pdf

Feel free to send me an email if you want any further, specific information: andrew.jamieson[at]withamlabs.com

Thanks Andrew. I do see that Visa just pushed the dates back to 2012 for unattended.

hello Adail,

how will this affect emerging economies like Nigeria, where visa is yet to get a strong foot hold?