To keep up with security threats, the rules of PCI compliance change frequently, especially for PIN Entry devices and payment applications. This complicates compliance, and makes it difficult for merchants to understand.
PCI DSS has tried to make things simpler by creating specific timelines that depict when updates on payment terminals need to be completed. But, compliance enforced by the card brands themselves, not PCI DSS.
Individual acquirers can adjust the rules if they are eager to ensure compliance and avoid liability for data breaches and rule violations. Since different acquirers are handling PCI in varying manners, it makes it difficult for the merchants, ISO’s, and merchant level salespeople to comprehend and get a clear view of what is going on and what needs to be done.
For pin-entry terminals, July 2010 and December 2014 are important dates. Terminals manufactured before 2004 must be swapped out by the first date above. Terminals manufactured between 2004-2007 need to be swapped out by the second date. They cannot be used after 2014 and they haven’t been legally sold since 2007.
Terminals that were made after 2007 contain Triple DES, or Data Encryption Standard, encryption and as of today, can be used indefinitely.
Some additional rules have been formed that create further confusion. As an example, Visa has required that summaries of PCI DES-compliant terminals and attendant POS activity be submitted by October of 2009.
Many acquirers will be charging noncompliance fees. Acquirers are held liable when the merchant is non compliant, so this is a way to levy the costs of a breach if one should occur.
If terminals do not have the PIN debit feature, there is no need to get rid of them. But, for security purposes, having an updated terminal is always a good idea.
The questionnaire sent out to merchants by PCI SSC failed to ask whether or not PIN-entry devices were used. The questionnaire will be updated to do so.