Early Security Standards
Prior to 2004, each credit card brand policed their own PIN Entry Device (PED) requirements for security. In 2004, Visa and MasterCard collaborated to align their specifications and PCI PED was born.
Subsequently additional card brands collaborated. The PCI SSC (Payment Cards Industry Security Standards Council) was formed in 2006 with the PCI-DSS (Data Security Standard) standard in its scope. PCI PED was brought under the PCI SSC umbrella in September 2007.
The initial release of PCI PED, call it version 1.0, harmonised the requirements of Visa and MasterCard and provided a security baseline that the card brands felt represented a minimum level of security required in any PIN accepting device.
As security threats have evolved, PCI PED has been enhanced to maintain a balance of compliance and expense. PCI participants have agreed that, in general, PED security will be updated at least every three years.
As these changes are made, the PCI SSC (Payment Card Industry Security Standards Council) publishes the transition dates between versions. They usually publish a date whereby the previous version can no longer be certified, as with the EFT 930 Terminal, as being compliant with the current version of the standard and a second date when that product can no longer be purchased.
PCI PED version 1.3 devices are no longer certified but can be sold until December 2014, such as the EFT 930 Terminal range.
What this means to you the Retailers
So why should a retailer making a product purchasing decision today care about the difference between products approved for either PCI PED versions 1.3 or 2.0. The most fundamental answer is to reduce the risk of compromise and to extend the serviceable life of the product selected today.
Why is this happening?
All changes to the PCI PED standards are driven as a result of actual product attacks that are detected in the field, by an analysis of criminals increasing skill and sophistication and by the ever decreasing cost of technology. As technology capability continues to increase and technology cost continues to decrease, the risk – reward ratio continually changes.
When you purchase the latest version PCI PED certified product from PDQ Machines, you are ensuring that the device can withstand the latest generation of attacks and will remain sufficiently secure for the longest period of time. (Note: it is quite possible that an attack will be mounted that forces PCI to alter the current dates for installation and usage of a particular version of device.)
In closing, it is PDQ Machines’ strong recommendation that any retailer making a device purchase decision in 2014 seriously considers the risks associated with purchasing a non-PCI version 2.0 device and that any organisation selling or hiring to new customers a EFT930 Terminal product or non PCI 2.0 device after April 30th 2014 should be reported to Visa and Master Card.
Technically PCI PED version 1.3 devices like EFT 930 Terminal range, can be installed during the first quarter of 2014, but it should be remembered that the initial requirements of PCI PED version 1 were written in 2004 and the sophistication of technology and skill of criminals has progressed significantly since then. So click here to ensure your new credit card machine not only complies with the legislation but is a great deal as well!