Verifone PCI 3 Guidance and Discontinuance Notification
With just over 6 months left, operators must think about what comes next as their PCI 3.0-compliance payment terminals go end of life. Verifone has been mandated by Visa that any PTS Level 3 peds are to be phased out and replaced by PTS Level 5 peds.
The time has come for that 'gulp' breakup talk, because there’s some sad news: As of April, 30, 2020, manufacturers are no longer permitted to sell terminals that comply with PCI PTS POI v3.X.
MCR Systems will replace the old PTS Level 3 units with new level 5 compliant units in future orders.
- VX820 will be replaced by the P400 (no receipt)
- VX820 Duet will be replaced by the V200C (receipt)
- VX680 Bluetooth will be replaced by the V240M
Verifone will not issue software updates or provide development support after April 2020, except that, until April 2023:
- They will continue to provide error corrections for Severity 1 (Critical) software errors, including security vulnerabilities.
- In the event of a compliance mandate issued by PCI / payment card brands, they will work with operators in good faith to agree on development support to address the compliance mandate, subject to appropriate compensation and as documented in a statement of work.
Q&A: Generic Advice
Q: Are we allowed to keep using our PCI PCT 3.0-compliant payment terminals?
A: Yes, the only change is that manufacturers can’t sell them; you do not have to replace them all before April 2020. Payment terminal makers also have varied end date for support of the devices so the sun setting of 3.0 does have potential implications for security and support.
Q: What about 3.0 terminals we may have in storage, can we use those?
A: Yes, as long as you purchased and took delivery of the devices before the expiration date. However, you should also check with your acquirer to see if they have any usage requirements. They may want you to start replacing 3.0 devices at some point
Q: Does continuing to use 3.0 payment terminals mean we will have PCI compliance issues?
A: It shouldn’t, as long as you are using a device that was compliant at the time of purchase. To date, the PCI Council has not issued any sort of remove-from-service requirement for 3.0 devices.
Q: Are PCI 3.0-compliant devices secure?
A: Every PCI release improves on security, so a 4.0-compliant device has more stringent security built-in than a 3.0 device, and a 5.0-compliant device is even more secure. So someone seeking points of vulnerability in retailers’ defences may be more likely to target one with the lesser amount of protection.
Q: Can we upgrade our 3.0 devices to 4.0 or 5.0 in the field?
A: No, once a device is certified, it cannot be modified.
Q: Should we start buying 4.0- or 5.0-compliant terminals?
A: A 5.0 terminal has the latest security and will provide the longest lifespan; terminals that are 4.0-compliant are due to sunset in April 30, 2023. Operators need to make their own decisions, with working with their suppliers and partners.
Q: What should we do now?
A: The immediate need is to create a roadmap. Visa recommends these steps:
- Actively plan for the replacement of devices prior to the expiration date
- Invest in PEDs with the highest version to reap the benefits from the latest security
- Do not sell expired devices to secondary markets
- Do not use expired devices for new deployments
- Remove expired devices from production environments