淘汰有人管理的Pre-PCI POS PIN输入设备.pdf

Visa Bulletin 5 May 2010 Retirement of Pre-PCI Attended POS PIN Entry Devices Effective 31 December 2014, all pre-Payment Card Industry Point of Sale (PCI POS) PIN acceptance devices (devices designed and tested earlier than PCI POS PIN Entry Device (PED) Version 1.x specifications) used in an attended environment are to be replaced by devices that are PCI-approved for deployment at the time of deployment. In 2002, Visa announced enhancements to the PIN management requirements for POS PEDs and established associated mandates for the use and retirement of PEDs. One enhancement, which went into effect on 1 January 2004, required that all newly deployed attended (face-to-face) POS PEDs be independently validated and approved by Visa as compliant with the PED security requirements. Additionally, Visa required that all deployed attended POS PEDs be validated by the PCI as compliant with the PED security requirements effective 1 July 2010. (Initially, these devices were approved only by Visa.) In 2004, PCI PED Version 1.0 was launched (and later updated to Version 1.3, collectively known as Version 1.x). Devices approved under this PCI program were added to the list of PCI-approved devices, as were other devices evaluated under subsequent versions of the same security requirements. These requirements are regularly enhanced on a three-year cycle, based upon analyses of changes in the threat environment. Note: Devices approved by Visa prior to the PCI PED coming into effect in 2004 are termed “pre-PCI devices”; in particular, PEDs are known as pre-PCI PEDs. For testing and approval purposes, there are three categories of PIN acceptance devices. The following table lists the three device categories and their associated sunset dates: Category Description Sunset Date Untested and Unapproved PED PEDs that have never been independently evaluated and approved by Visa or by the PCI as part of a defined testing program. Note: Visa previously issued a mandate effective 1 July 2010 requiring the sunset of all untested attended POS PIN acceptance devices that have not been either pre-PCI or PCI approved. 1 July 2010 Pre-PCI (Visa Only Program) PEDs that have been validated as compliant via lab testing and approved by Visa under prePCI requirements (listed at www.visa.com/pin). This mandate established a “sunset from deployment” date of 31 December 2014. 31 December 2014 PCI-approved PEDs that have been validated as compliant via lab testing, according to PCI requirements (Version 1.x or higher) and approved by the PCI (listed on the PCI Security Standards Council website at www.pcisecuritystandards.org/pin). These devices do not currently have a “sunset from deployment” date. N/A Note: Visa will eventually set sunset dates for Encrypting PIN Pads used in ATMs and unattended POS PIN acceptance devices. Member Impact Effective 31 December 2014, all pre-PCI POS PIN acceptance devices used in an attended environment are to be replaced by devices that are PCI-approved for deployment at the time of deployment. Note: PCI PED Version 1.x devices that were tested and approved through the end of April 2008 will have their approvals for new deployments expire at the end of April 2014. Currently, Visa does not have mandatory retirement dates for these devices; however, by 2014, these devices will have been approved against ten-year old requirements, and it is possible that dates to replace these devices will have been introduced by Visa. Members are advised to bear this in mind when selecting replacements to gain maximum return on investment and enhanced PED security. Strong consideration should be given to replacing any pre-PCI devices with the most recently approved devices available, including using PCI PED Version 2.0 devices (or later), which will be available in the future (possibly when the older devices are being replaced). Acquirers that do not meet these requirements by the aforementioned date will continue to accept liability for PIN compromises attributable to the use of these devices. Such acquirers may also be liable for penalties in 1 accordance with the Visa International Operating Regulations, for violation of the PIN management requirements. PED Retirement Planning Members must implement the use of PCI-approved PEDs as quickly as possible to provide the highest level of protection for cardholder PINs. To migrate to PCI-approved PEDs securely, Visa recommends the following best practices: • Complete retirement of all attended POS PIN acceptance devices that have not been either pre-PCI or PCI approved by 1 July 2010. • Develop detailed plans to migrate to PCI-approved, attended POS PEDs and meet the 31 December 2014 sunset date. • Contact POS PED vendors, resellers, processors and Encryption Support Organizations (ESOs) to establish achievable conversion plan milestones for all organizations. • Catalog and inspect PED equipment inventories to determine which devices are PCI-approved and which need to be upgraded or replaced. • Ensure that POS PED inventories and new equipment purchases are in compliance with PCI PED testing requirements. (More information on PCI-approved PEDs can be found at the PCI Security Standards web page.) • Replace POS PEDs known to be compromised first. A list of known compromised POS PEDs can be found at www.visa.com/cisp under "Security Alert." • Ensure full compliance with the PCI PIN Security Requirements. Visa is aware that some expired POS PEDs are still used for credit only card acceptance. Entities may continue to use these devices for credit only card acceptance only if: 1 • The POS PED is fully disabled for PIN acceptance and PIN encipherment key loading, or • Other appropriate controls have been implemented to prevent the reintroduction of such devices into the payment system for debit transaction processing In the U.S. region, acquirers may also be liable under the U.S. Regional Operating Regulations and the Interlink Network, Inc. Bylaws and Operating Regulations. In the U.S. Region: The following articles can be accessed via www.visa.com/cisp. • “POS PIN Entry Device Vulnerabilities,” Visa Business News, 23 September 2009 • “Update on Visa’s Compliance Policy to Facilitate Triple Data Encryption Standard Usage,” Visa Business News, 22 April 2009 • Visa PIN Entry Device Frequently Asked Questions • “Reminder: Registration and Compliance Requirements for Encryption Support Organizations,” Visa Bulletin (article located under "PIN Security" section) • General Frequently Asked Questions • “Visa PIN Security Tools and Best Practices for Merchants” brochure (also available via the Visa Fulfillment Center at (800) 235-3580; reference document number VRM 04.12.06) • Payment Card Industry PIN Security Requirements • Payment Card Industry PIN-Entry Device Approval List Contact your Visa Account Executive or e-mail pinusa@visa.com. © 2010 Visa Inc., all rights reserved.