Blog LBMC

Print Divider Print Divider Branding
 

Ensure Point-of-Sale PIN-Entry Devices are Secure

01/28/2015  |  By: Stewart Fey, Director of Technical Services

Share

Social Logo Social Logo Social Logo Social Logo

At the end of 2014, Visa issued a security bulletin that should be on the minds of anyone who processes or accepts payment cards, aimed at helping organizations make sure that their Point-of-Sale (POS) PIN-entry devices (PEDs) are up-to-date and secure. The bulletin lays out important information about retiring, purchasing, and implementing devices, including some deadlines that are fast approaching. This information is crucial for businesses, and we want to make sure all affected organizations understand it. So let’s dive into the bulletin and identify the key points every merchant should know.

Guidelines for Purchase, Validation, and Deployment

Organizations are encouraged to purchase the most recent version of PCI-approved PEDs. At present, this is PCI PTS Version 3.x. Devices of this version will not expire until April of 2020. In order to ensure that a new purchase is PCI-approved, merchants should check potential purchases against the list of approved devices provided on the PCI website. Once they’ve made a purchase, merchants can then validate the device’s PCI compliance on the same website. The PCI allows merchants to search for their particular device and make sure that essential details match, including:

  • Expiration date
  • Product type
  • Firmware
  • Application and PCI approval numbers
  • Version

After validating that a device is in compliance, merchants should take a screenshot of the relevant information on the PCI website and store it with their device records. In addition to validation instructions, the bulletin provides some general usage guidelines for PEDs. Key recommendations include storing wireless handheld PEDs securely with strong controls on inventory and using cables or other means to secure stationary PEDs at the cash register. Furthermore, it is recommended that merchants have a detailed procedure in place for identifying and responding to incidents when devices go missing. The full bulletin is available here (PDF format) and is well worth the read.

For organizations with dated or soon-to-be-deprecated PED systems, the time to take action is now.

Ready to learn more? Be sure to download the free guide, PCI Compliance Guidelines Explained. On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter at @lbmcsecurity.

LBMC Information Security reviews compliance efforts, can test to assure compliance and can help your team develop an action plan to remediate compliance. If you have questions, please contact us. Learn more about our PCI Compliance services.

Get a Quote for PCI Services

Ready to move ahead with your PCI project? Answer 9 questions and get a quote for your PCI compliance needs.

Download LBMC's PCI Compliance Guide

Download our guide, PCI Compliance Guidelines Explained, for more ways to stay up to date with PCI compliance for your firm.

Download the PCI Guide