Visa USA PIN security deadlines looming
March 19th, 2007 by datasecurity Posted in Card Brands, Merchant, PCI PIN
There has been some conversation about the recent upset of Hypercom by Verifone. I won’t go into details but it involves the Visa USA PIN security requirements and looming deadlines for PIN pad devices.
Remember that PCI is a standard, but each card brand enforces the standard independently.
Verifone has a PDF on PCI requirements for protecting cardholder data. It shows the dates that Visa USA has published for such PIN-base devices. Here are the published deadlines:
- Effective December 31, 2007, all VisaNet/Interlink endpoint Acquirer Working Keys (AWK) must use TDES. Merchants directly connected to VisaNet/Interlink must meet this requirement.
- Effective July 1, 2010, all transactions originating at POS PEDs must be encrypting PINs using TDES from the point of transaction to the issuer (end-to-end).
- Effective July 1, 2010, all POS PED models must be TDES capable and Visa-approved/lab-evaluated.
By 2010 “All POS PEDs must be Visa-approved/lab-evaluated and using TDES to protect cardholder PINs.”
If you purchase a device prior to one of these deadlines, I believe it can be used after the deadline, but non-compliance devices cannot be sold or purchased after the deadline.
Don’t forget about the PIN/PED security requirements. Ask your vendor if they support these new requirements and use this information in making your next POS device.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
One Response to “Visa USA PIN security deadlines looming”
By Dave Faoro on Mar 22, 2007
The significance of the July 1, 2010 date for POS PED models is that any device which has not been through the Visa lab evaluation must be REMOVED from service by that date. They no longer can be used after that deadline.
The VisaPED and PCI PED approved devices do not yet have a “sunset” date.