* Debit and creit pins must be TDES from the payment terminal.
* All pin pads that are not VISA PED or PCI PED must be removed from service.
* All applications that “Store, Process or transmit cardholder information” must be PA-DSS compliant.
The Payment Card industry data security standard states that Pin entry Devices (PED) must use Triple Data Encryption (TDES). TDES means the pin number entered by the consumer has been encrypted multiple times making it much harder for a hacker to break. The standard also covers the device characteristics and management; how the pin pad is designed, produced, transported and stored.
Visa has said that it will not fine acquirers until July 1, 2012 but acquirers can fine merchants any time after July 1, 2010. A list of approved pin pads can be found here: https://www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.html.
If you don’t know if your pin pads meet the requirements it is best to contact your processor to find out and, if necessary, have the pin pads replaced.
PA-DSS
Also July 1 is the Visa deadline for merchants to be using a POS system that meets the Payment Application Data Security Standard (PA-DSS). This standard was formerly called Payment Application Best Practices (PABP) and is the guideline for software developers to follow in order to build payment applications that are safe. Once a system is validated as being PA-DSS compliant it shows up on a list of approved applications at www.visa.com/pabp. If the POS application in use at your store is not on the list it should be replaced or upgraded. Yes, the version matters if your POS is at a different version than what shows on the list, it may need to be upgraded.
Although the deadlines mentioned above are important milestones on the PCI track PCI compliancy encompasses much more. For more information about PCI and the PCI Security Standards Council visit https://www.pcisecuritystandards.org/index.shtml.