I received this communication from the Council today.
“PCI SSC has learned that certain PTS POI devices are being sold that use the version numbers associated with the Approved Devices but materially differ from the Approved Devices (“Substitute Devices”).
To help ensure that entities deploying PTS POI devices deploy equipment that is the same as the PCI approved version, PCI SSC recommends:
- Entities purchasing devices only purchase devices that are compliant with the requirements for labeling and displaying the hardware and firmware/application versions as stipulated above. Furthermore, the version numbers must be in accordance with the version numbers listed on the PCI SSC website for that specific device model name/number. Devices not meeting the aforementioned should not be considered the PCI approved product version.
- Purchase orders for point-of-interaction PIN-acceptance devices should specify compliance to the applicable PCI Point of Interaction Security Requirements document. This should include specific vendor attestation as shown in the attached form that the PTS devices have been assessed and approved by PCI SSC.
Read the bulletin for more information: PCI Security Standards Council bulletin on purchasing PCI approved devices”
Sounds like a vendor or few are making changes to their POI and not following processes to document those changes to the Council.
So be careful out there with what POI are PCI compliant and those that are not compliant.
One of my colleagues recently signed up for iZettle using the handheld device. She doesn’t believe she needs to do any PCI SAQ herself so I am looking into this. the company states they are PCI compliant and the device itself is PCI PTS 4.1 etc (however the current device is not one listed on the PCI standards site! that’s fo an old version?)
so 2 questions:
Is this correct would iZettle PCI cover users on their own locations using the devices?
Is the device compliant? if not, would this therefore invalidate their own PCI anyway?
iZettle might be similar to Square and others who are the merchant of record, so your friend would not have to fill out an SAQ.
I would be curious as to how you determined the point of interaction (POI) is PTS 4.1 compliant if it is not listed on the PCI SSC Web site. Regardless, the key is if the POI is encrypting the data before it hits your friend’s phone. According to the iZettle Web site the reader is encrypted, so I am assuming that keeps the CHD away from the phone.
iZettle says they are PCI compliant, but that is for their services for processing payments in their data centers and has nothing to do with payments from their terminals. It’s silly I know, but Square says the same thing on their Web site.