PCI Council Advises On Approved PTS Devices

I received this communication from the Council today.

“PCI SSC has learned that certain PTS POI devices are being sold that use the version numbers associated with the Approved Devices but materially differ from the Approved Devices (“Substitute Devices”).

To help ensure that entities deploying PTS POI devices deploy equipment that is the same as the PCI approved version, PCI SSC recommends:

  • Entities purchasing devices only purchase devices that are compliant with the requirements for labeling and displaying the hardware and firmware/application versions as stipulated above. Furthermore, the version numbers must be in accordance with the version numbers listed on the PCI SSC website for that specific device model name/number. Devices not meeting the aforementioned should not be considered the PCI approved product version.
  • Purchase orders for point-of-interaction PIN-acceptance devices should specify compliance to the applicable PCI Point of Interaction Security Requirements document.  This should include specific vendor attestation as shown in the attached form that the PTS devices have been assessed and approved by PCI SSC.

Read the bulletin for more information: PCI Security Standards Council bulletin on purchasing PCI approved devices

Sounds like a vendor or few are making changes to their POI and not following processes to document those changes to the Council.

So be careful out there with what POI are PCI compliant and those that are not compliant.


2 Responses to “PCI Council Advises On Approved PTS Devices”

  1. June 3, 2020 at 4:46 AM

    One of my colleagues recently signed up for iZettle using the handheld device. She doesn’t believe she needs to do any PCI SAQ herself so I am looking into this. the company states they are PCI compliant and the device itself is PCI PTS 4.1 etc (however the current device is not one listed on the PCI standards site! that’s fo an old version?)
    so 2 questions:
    Is this correct would iZettle PCI cover users on their own locations using the devices?
    Is the device compliant? if not, would this therefore invalidate their own PCI anyway?

    • June 9, 2020 at 4:45 PM

      iZettle might be similar to Square and others who are the merchant of record, so your friend would not have to fill out an SAQ.

      I would be curious as to how you determined the point of interaction (POI) is PTS 4.1 compliant if it is not listed on the PCI SSC Web site. Regardless, the key is if the POI is encrypting the data before it hits your friend’s phone. According to the iZettle Web site the reader is encrypted, so I am assuming that keeps the CHD away from the phone.

      iZettle says they are PCI compliant, but that is for their services for processing payments in their data centers and has nothing to do with payments from their terminals. It’s silly I know, but Square says the same thing on their Web site.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

November 2018

%d bloggers like this: