Analog Payment Card Devices: A Thing of the Past?
Along with the April 30, 2021 expiration date of PIN Transaction Security (PTS) 3.x devices (review details here), our CampusGuard teams have been hearing from more and more customers that acquiring banks are no longer offering stand-alone PTS devices that connect via analog phone lines. Even if a device does have the “option” to connect to an analog line, it may not have the ability to receive updates this way and will have to be connected to the network at some point to install necessary updates.
What does this mean for your merchant areas that are currently using analog-connected, stand-alone payment card terminals? You may need to begin reviewing your options with your acquiring bank and determining an appropriate path forward. Any merchants utilizing stand-alone, dial-out/analog terminals, with no stored card data, qualify for the Self-Assessment Questionnaire (SAQ) B. If the switch is made to connect new IP-based terminals to the network, the assigned SAQ will shift to the SAQ B-IP, which does require additional controls (i.e. network segmentation and segmentation validation, quarterly vulnerability scans, etc.). For many organizations, the decision was made to keep all payment card systems off the network, so although your acquiring bank may present these devices as a simple switch in connection-type, there are ramifications to consider when it comes to the organization’s PCI compliance and attestation requirements. You may have already run into this challenge if your organization has converted telephone lines from analog to Voice over Internet Protocol (VoIP). This transition would again cause any SAQ B merchants to shift to SAQ B-IP when the devices are connected to the network. What other options are available?
Organizations can explore the use of cellular PTS devices. With 4G and 5G technology now widely available, connectivity issues that merchants may have experienced due to slow or non-existent service, may be resolved. You can discuss with your acquiring bank the ability to “test” cellular PTS devices to verify connectivity. With a cellular device, merchants would still qualify for the SAQ B.
Organizations can also review available P2PE devices. If your merchants were currently using stand-alone analog devices, there is not a need to purchase an integrated P2PE solution, but rather look for stand-alone P2PE devices (i.e. Elavon’s Safe-T-Link, First Data’s TransArmor, Clover, Bluefin, FreedomPay, etc.). These may be available from your acquiring bank or can be purchased directly from the third-party vendor. Because of the listed/validated P2PE solution technology, these devices will cost more than the standard analog devices from the bank and may have additional per-transaction fees, but will provide you with added flexibility and security (and eliminate additional PCI requirements).
If you have questions regarding your current SAQ B merchant environments and available devices, please reach out to your dedicated Customer Advocate team to discuss in more detail. Some additional guidance from the CampusGuard Security Advisor Team: [Burt]: This can be an issue for our customers that have worked extremely hard to limit PCI scope. Scope reduction typically means not having to involve Information Technology groups, such as Networking, Information Security and Engineering (e.g. meeting requirements for network segmentation, vulnerability scanning, logging, etc.). Unfortunately, it doesn’t appear that the entities offering the replacement payment card devices have taken into consideration the PCI compliance ramifications of switching from an analog to an IP-based device. The replacement payment card devices are typically PTS approved and listed on the PCI Council’s website. However, a payment card device being PCI compliant on its own does not always translate to a customer’s “environment” being compliant when using such a device. If you have not heard from your acquiring bank about PTS 3.x devices in your current production environment, it may be a good time to reach out and see if there are any current (or near future) plans to replace any expired units. If so, ask about possible replacement models and keep your CampusGuard Security Advisor and Customer Relationship Manager in the loop. Finding out early can help make the transition much smoother.