A Roadmap for Replacing PTS 3.0 Devices
PIN Transaction Security (PTS) devices are those devices used by merchants at the point of interaction for capturing payment card data and confirming receipt of transaction approval. The PCI Council, through a network of PCI Recognized Laboratories, validates PTS device compliance to the PCI PTS standard, and provides an updated list of approved devices. The PCI Council strongly recommends, but does not require, that merchants use approved PTS devices. However, this can be a requirement from the various card brands in order to protect against fraud and ensure the secure entry and transmission of account data.
PCI PTS security requirements are based on the available technology and known vulnerabilities at the time the standards version is published. Because risks and threats are constantly changing, the PTS standards are reviewed and updated on a three-year cycle to address any new vulnerabilities or attack vectors. Every standards release improves on security, so a 4.x-compliant device has more stringent security built in than a 3.x device, and a 5.x-compliant device has to pass even more rigorous lab testing to achieve that certification. Criminals seeking points of vulnerability are more likely to attack merchants utilizing outdated hardware and software.
PTS 3.x devices were initially set to expire on April 30, 2020. With the impact of COVID-19 and the inability of many vendors to produce and update devices, this date was extended to April 30, 2021. After this new date, most manufacturers and banks have stated they are not allowed to sell terminals that were validated against PCI PTS POI v3.x.
You do not have to replace all devices before April 2021. Any merchants using 3.x devices can keep using the terminals, as long as the devices were purchased before the expiration date; even those that you have in storage can be used. Any organization purchasing devices after that date would need to discuss the liability with their acquirer. However, you most likely won’t be able to buy more, and support for those devices will eventually end. Payment terminal manufacturers and merchant services banks that sell or provide terminals have varied end dates for support of the 3.x devices, so you will want to determine what those dates are for your terminals. As an example, Verifone will be discontinuing the service and repair of many of their 3.x products after April 2023 (see their bulletin here). The typical pattern has been 2-3 years after the expiration date, but if a device hasn’t sold well or specific components become hard to locate, a vendor can end support sooner.
If you have implemented a validated P2PE solution, the associated PTS devices can still be used for five years following the PTS expiration date, or until they drop off the individual P2PE listing.
Have your PCI Team review your current inventory list and identify any merchant areas that have deployed or are planning to deploy PTS 3.x devices, and create a schedule or roadmap for the future replacement of these devices. The expiry date of your devices can be included in your annual PCI risk assessment for easier tracking. Look ahead and budget for PTS devices with the highest version/security (PTS v4.x or v5.x currently, with v6.x set to release later in 2020), and plan for the removal of expired devices from production environments as soon as possible. Be sure to identify if replacement devices will operate any differently (e.g., requirements to connect via IP versus analog) and determine any impact this may have to your current PCI environment and SAQ eligibility. You may also want to consider deploying PCI-listed Point to Point Encryption (P2PE) devices as part of this analysis to help further reduce your PCI scope and increase the security of your transactions.
Additional guidance from our Security Advisor team below:
[Campbell]: At CampusGuard we love working with our customers to find that perfect balance between security and compliance. This is a great example where we’re going to recommend maintaining currently-approved devices to best protect your customers and your reputation, even if such updates are not always “required.” As the article mentions, having a real-world tool to facilitate tracking, and therefore upgrade planning, is important so that you can appropriately manage budgets and priorities. Besides embedding this information in the risk assessment, as the article suggests, another option might be adding columns to your device inventory spreadsheet. Consider the following columns: PTS version (e.g., 3.x or 5.x), associated PTS expiration date (just to keep it right at hand), and the firmware version, since variations here can be linked to different PTS approvals, and therefore expiration dates. Think of aging out PTS devices like you would old food at the back of the fridge. You might get away with eating it, but is it worth the risk?