I received this communication from the Council today.
“PCI SSC has learned that certain PTS POI devices are being sold that use the version numbers associated with the Approved Devices but materially differ from the Approved Devices (“Substitute Devices”).
To help ensure that entities deploying PTS POI devices deploy equipment that is the same as the PCI approved version, PCI SSC recommends:
- Entities purchasing devices only purchase devices that are compliant with the requirements for labeling and displaying the hardware and firmware/application versions as stipulated above. Furthermore, the version numbers must be in accordance with the version numbers listed on the PCI SSC website for that specific device model name/number. Devices not meeting the aforementioned should not be considered the PCI approved product version.
- Purchase orders for point-of-interaction PIN-acceptance devices should specify compliance to the applicable PCI Point of Interaction Security Requirements document. This should include specific vendor attestation as shown in the attached form that the PTS devices have been assessed and approved by PCI SSC.
Read the bulletin for more information: PCI Security Standards Council bulletin on purchasing PCI approved devices”
Sounds like a vendor or few are making changes to their POI and not following processes to document those changes to the Council.
So be careful out there with what POI are PCI compliant and those that are not compliant.
