PCI Security Standards Council bulletin on the expiration of the approval of PCI PTS POI version 1 devices

PCI Security Standards Council bulletin on the expiration of the approval of PCI PTS POI
version 1 devices

19 March 2014

Attackers frequently try to compromise Point of Interaction (POI) devices to obtain PIN and account data processed by the
devices (before it is passed onto authorization hosts). The PCI PIN Transaction Security (PTS) POI standard enables
vendors to develop and bring to market devices that offer protection against such attacks.

The Council updates the PTS POI Standard every three years. POI device approvals expire six years after the retirement
of the security requirements against which they were validated. The version 1 requirements were retired from use for new
approvals in 2008, and subsequently the approval of devices given by the Council under the standard PCI PTS POI v1
expires 30 April 2014. This expiration indicates devices may not be able to withstand the latest generations of attacks and
should therefore be replaced as soon as feasible. As of 30 April 2014, the affected devices will be listed separately from
other approved POI devices on the PCI website here:
https://www.pcisecuritystandards.org/approved_companies_providers/approved_pin_transaction_security.php


The Council advises merchants, financial institutions, vendors and other users of PTS POI v1 devices, specifically v1
PEDs and EPPs, to contact their device vendors regarding the availability of a more recent model to replace v1 models in
use.

Users of such devices should also contact the applicable acquiring financial institution or global payment brand(s) for
specific regulatory guidance on the deployment, replacement and retirement of v1 devices after the expiration of their
approval by the Council. Payment brand contact details can be found here:
https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/How-do-I-contact-the-payment-card-brands