At the end of 2014, Visa issued a security bulletin that should be on the minds of anyone who processes or accepts payment cards, aimed at helping organizations make sure that their Point-of-Sale (POS) PIN-entry devices (PEDs) are up-to-date and secure. The bulletin lays out important information about retiring, purchasing, and implementing devices, including some deadlines that are fast approaching. This information is crucial for businesses, and we want to make sure all affected organizations understand it. So let’s dive into the bulletin and identify the key points every merchant should know.
Guidelines for Purchase, Validation, and Deployment
Organizations are encouraged to purchase the most recent version of PCI-approved PEDs. At present, this is PCI PTS Version 3.x. Devices of this version will not expire until April of 2020. In order to ensure that a new purchase is PCI-approved, merchants should check potential purchases against the list of approved devices provided on the PCI website. Once they’ve made a purchase, merchants can then validate the device’s PCI compliance on the same website. The PCI allows merchants to search for their particular device and make sure that essential details match, including:
- Expiration date
- Product type
- Application and PCI approval numbers
After validating that a device is in compliance, merchants should take a screenshot of the relevant information on the PCI website and store it with their device records. In addition to validation instructions, the bulletin provides some general usage guidelines for PEDs. Key recommendations include storing wireless handheld PEDs securely with strong controls on inventory and using cables or other means to secure stationary PEDs at the cash register. Furthermore, it is recommended that merchants have a detailed procedure in place for identifying and responding to incidents when devices go missing.
For organizations with dated or soon-to-be-deprecated PED systems, the time to take action is now.
LBMC Information Security reviews compliance efforts, can test to assure compliance and can help your team develop an action plan to remediate compliance. If you have questions, please contact us. Learn more about our PCI Compliance services.
Get a Quote for PCI Services
Ready to move ahead with your PCI project? Answer 9 questions and get a quote for your PCI compliance needs.
Download LBMC’s PCI Compliance Guide
Download our guide, PCI Compliance Guidelines Explained, for more ways to stay up to date with PCI compliance for your firm.