August 21, 2020

Hardware Spotlight

DEFINING WHAT IT MEANS WHEN WE TALK ABOUT DEVICES NEARING END-OF-LIFE—OR SUNSET—DATES

As with other consumer products, payment devices follow a natural product life cycle. PIN Entry Devices (PEDs) are primarily governed by the Payment Card Industry Security Standards Council’s (PCI SSC) regulatory compliance requirements, and their continuity are further subject to market activity and demand, evolving security standards, or innovations in technology that lead to the availability of enhanced next-generation devices.

Consequently, manufacturers for these PEDs regularly take steps to “sunset”, thereby ending product availability, and offer replacement products that have been significantly improved for performance, that cover certification requirement changes, or the latest available security standard for the product range. After the expiration date, the manufacturers are unable to sell or ship any new products to customers. However, the provider may continue to repair said products and provide software updates as required, at their discretion.

The manufacturer will initially announce the upcoming end of life timeline, allowing for merchants and partners the time needed to plan any required migration. Often, these announcements occur at least a year in advance.

Typically, “last buy order” and “last shipping” dates will also be provided. These are the dates established by the manufacturer, as the final possible dates that orders for the said device can be placed or shipped.

Finally, an “end of support” date will also be provided. This is the final date that the manufacturer will be expected to provide support. (In practical terms, this means that no replacement parts, corresponding software corrections, or feature enhancements will be available following this date. This date is also the one we would follow to officially list the item as no longer being actively supported by us.)

PCI EXPIRATIONS

At the core of cardholder PIN security is the need to ensure the device that a cardholder uses to enter their PIN is itself secure. Card brands (Visa, Mastercard, et al.) require that all PIN Entry Devices (PEDs) be evaluated and approved by the Payment Card Industry Security Standards Council (PCI SSC) and be listed on the Approved PIN Transaction Security (PTS) Devices section of the PCI SSC website.

In addition to official sunset dates when the PED PCI security approval expires, there are also requirements governing the purchasing, usage, and deployment of PEDs. PCI PTS security requirements are based on technology, environment, and vulnerabilities known at the time of publication.

With the security threat landscape continually changing, PCI security standards are regularly reviewed and are updated to address new vulnerabilities and attack paths. With each update—most often in three-year cycles—an updated version number is assigned to the testing requirements. (PCI 3, PCI 4, PCI 5)

So, the expiration date for PCI-approved devices is the date upon which the device’s PCI approval expires, rendering those device versions prohibited for new sale. Though devices already in place in the production environment may be expired, they are acceptable for continued (although limited) use. Expired PEDs are vulnerable due to static architecture and design that do not support security code or malware patch updates, to name a few. That said, we would recommend that questions on long-term viability, potential implications for security, support, or of liability be discussed with the merchant acquirer. It will be essential to confirm whether any specific remove-from-service requirements have been issued for any expired (and consequently, non-compliant) devices.

In some ways, Tender Retail is beholden to these timelines, as well. When manufacturer support ends on a particular PED, we can no longer seek any redress on any issues affecting those devices. Furthermore, we cannot initiate any new certifications to support new features or updates, nor allow any client to introduce new deployments with them. We can continue to support our clients who already have these devices out in the field during the period of retirement, can offer recommendations, and assist in any transition planning. We will also honor any extensions and exceptions provided by the PCI council, device manufacturer, or acquirer with any controlling interest in the device(s) in question.

Our best overall advice in the meantime?

  • Include devices in your roadmap to actively plan for the replacement of PEDs ahead of their expiration, if possible.
  • Stay informed on the compliance status of your equipment. Read relevant content on the PCI security site, reach out to your device provider, acquirer, or talk to us.
  • Remain flexible. In the lifetime of your PEDs, you will likely be required to update their firmware. The need for this can be due to new features, anomaly corrections, or security enhancements. Whatever the reason, it will be necessary to factor this into your testing and deployment planning so that it can be addressed as an independent update, as you may not always need a companion middleware, or POS software build to go along with it.

(Many of you have had questions on the topic of firmware updates, and we’ll try to tackle those in the next newsletter or other dispatches.)

In the end, knowledge is strategically vital in our business and no less crucial for yours. With that in mind, we’re happy to help inform your best decisions along the way. If you haven’t already, do familiarize yourself with the PCI site. And while we’re on the subject, you’ll not only find content related to your devices, but you’ll also come across compliance information for our MCM product and builds. (The references will come in handy during your audits, which will likely call for an Attestation of Compliance or AOC, to which it’s commonly referred.)

Additional Resources

PCI extension due to COVID
Back