Toxic Waste: Old PIN Pads Never Die, But They <i>Really</i> Should

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

Do you accept PIN-based debit cards at your stores? Have you been accepting these PIN transactions for more than, say, six years? Lastly, are you aware that the first Visa-mandated sunset date for your old PIN Entry Devices (PEDs) is July 1, 2010? If you are like most major retailers, you will answer "yes" the first two questions, but you might answer "no" to the last question. If that is the case, you are taking on increased risk and liability from these old PIN devices.

POS equipment, including PEDs, can last a long time. Older stores or POS locations that have not been upgraded may still have equipment that increases the risk of a data compromise. Therefore, retailers with locations or equipment over eight years old should check each of their PEDs against the currently approved lists.

Identifying which PEDs to replace may not be easy. If you get the equipment from your acquirer, call them. Unfortunately, many retailers purchase POS equipment from OEMs or resellers. If this describes your situation, you will need to check with the vendor to see how it complies with this mandate.

Maintaining PCI compliance requires an ongoing commitment. If you view it as a project with a beginning and an end, you are likely to either fall out of compliance in the year between assessments or miss an important update from the PCI Council or a mandate from one of the card brands.

Visa's PED mandate is a good example of something that would be easy for a retailer to miss--in part because it is somewhat obscure, but mainly because it is complicated.

You can think of PEDs as falling into one of three groups. The first includes all PCI-approved PEDs. These PEDs have been tested according to PCI requirements and validated by an independent laboratory. You can find more information and a link to the list of these devices here. Interestingly, it doesn't matter which version of PCI PED was used in the testing. The good news is that if the device passed, you can use it. The better news is these PEDs have no current replacement (or sunset) dates.

The second group of PEDs includes those approved by Visa in the pre-PCI days, between about 2002 and 2004. During this time Visa approved a number of PEDs, which are listed on its Web site. If you have any of these PEDs in your retail stores, you have until Dec. 31, 2014, to replace them. In effect, the approval for these devices is expiring, but you have a few years to replace them. When you do replace these PEDs, make sure to get PCI-approved versions.The third group includes untested and unapproved PEDs. These devices are the oldest and the main target of Visa's mandate. Neither independently tested by a laboratory nor approved by either Visa or the PCI Council, Visa calls these "pre-PCI devices." You may simply call them obsolete. If you have any of these PEDs, the sunset date to replace them is July 1 of this year.

In short, the Visa mandate means that after July 1, all your attended POS locations accepting PIN-based debit must use approved PEDs--those either on the Council's list or at least on Visa's list. If you have a choice, always go to the Council list; it is the most current. Using devices on this list will negate having to repeat this replacement exercise in a few years.

After you have replaced outdated PEDs, you have to address the issue of what to do with your old devices. My first piece of advice is, do not sell them on eBay. Instead, have them securely destroyed or shredded by a trusted commercial service.

Visa leaves you one out, but I advise you not to take it. If you still have some of these old devices in your stores, you could continue to use the card reader and accept only credit or signature debit. If you ignore my advice and keep these obsolete devices, you must do a couple of things. First, make sure the PED is disabled so it can no longer process a PIN. Then you have to implement internal controls to make sure you can't transfer the device to another store where it will be used for PIN transactions.

I'm not a fan of this approach because it preserves these old, unsafe, noncompliant devices at your POS. Two days or two weeks or two months later, when you are not there, someone may turn the PIN functionality back on and leave your entire chain vulnerable to a breach. So, although retaining old PEDs is an option, it is not a smart one.

Strictly speaking, the Visa mandate applies to its acquirers. Failure to comply means the acquirer has increased risk and liability if there is a PIN compromise traced back to one of these obsolete PEDs. If you got your PEDs from your acquirer, don't wait for that company to call you (which hopefully it has done already). Contact your acquirer directly and find out if your equipment has to be replaced soon or in 2014. If you got your POS equipment from an OEM or other third party, you are on your own to make sure you comply with the mandate.

A lot is happening in the PCI world in 2010 that will affect retailers of all sizes, including Visa's PA-DSS mandate, the new PCI PIN Transaction Security and, of course, the revised PCI DSS itself–which will be effective in October. The PCI Council will be releasing documents over the summer.

All this reinforces the fact that PCI compliance is not a project; it is an ongoing process that merits your time and attention.

Do you still have old POS equipment? What are your plans to replace these PEDs? I'd like to hear your thoughts. Either leave a comment or E-mail me at [email protected].