In April 2021, all PCI PTS v3.x terminal certificate expires. What should you do in such a situation?
PCI
First, let’s see where is PCI‘s position in an EMV environment. An EMV card is equipped with a microcontroller. Such a device contains cryptographic keys and generates cryptograms to reduce the possibility of fraud. Anyhow, the cardholder’s data is transferred from the terminal to the card issuer, and sensitive information is among these cardholder data.
PCI specifies how the terminal and other parties of the transaction should handle these sensitive data. PCI PTS POI has been created to specify how the payment terminals should handle the PIN. PCI stands for Payment Card Industry; PTS stands for PIN Transaction Security; POI stands for Point Of Interaction.
So, PCI has set up several controls that ensure secure processing of the cardholder’s PIN. Version 3 of these requirements were published in 2010, and the final version, 3.1, was published in 2011.
The requirement
PCI specifications tell the vendors how they should protect the cardholder’s sensitive data. Practically, there is nothing the acquirers should know about these requirements. Terminals are evaluated according to a specific version of PCI PTS POI. On the other hand, card schemes may require their members to use a terminal certified to a particular version or higher. The acquirer should ensure that the terminals in production are compliant with those versions.
So PCI doesn’t say that you have to remove your terminals from production immediately. Terminals compliant with version 3.1 at the time of their certification are still compliant with version 3.1. What happens is only that version 3.1 is too old and should not be used anymore. Nevertheless, PCI doesn’t force the payment provider to discontinue the usage of the expired terminals. The card brands set up the requirements. You have to carefully read their mandates and procedures to see how to proceed or contact us to use our mandate observer service.
