pre-PCI deployment

[sandonoriko]

Hello,

I submitted question to council below and I received the answer from them. I´m not strong in english )o:, that´s why I´d like to ask you for more clarification of the answer- Does this mean, that the POS terminal which has PCI PED certification f.e. 1.0 could not be put to production environment if this terminal has connected with pin pad, which is pre-PCI ? Or if the pin-pad is PCI PED certified but the POS terminal itself is pre-PCI?

Thank you very much.
Laura



MY QUESTION:
Concerning the PCI PED certification, is it necessary that hardware terminal and also PIN pad must be certified by the same version of PCI PED? Let´s imagine the situation, there is future requirement to replace PCI PED 1.x devices by PCI PTS 2.x or higher devices. Would also meet and cover this hypothetic requirement if the hardware terminal is PCI PED 1.x certified and PIN PAD has PCI PTS v 2.0 certification?

PCISSC ANSWER:
For devices that embed other PCI-approved devices, and are therefore basing their security on these sub-components (even partially), the renewal/expiration date shall be the earliest to expire date among all evaluations, including the embedded device itself.

[jbhall56]

Your example is not the best. You are now required to use PCI certified devices, so doing anything else is not allowed.

What they are telling you is that of all of the PCI certified devices you might have used to create your POS environment, the device that has the earliest expiration date is the date that you must use for how long it can be used.

For example. If you have a POS terminal with a certification expiration date of 11/2014 and a PIN pad with a certification expiration date of 09/2012, the expiration date for the combined device is 09/2012 because that is the earliest of all of the devices involved.

[sandonoriko]

Dear Jeff,

Thank you. Regarding combination of PCI ped certified devices – I fully understand. But, look at this example – Some delivery services using the portable Enterprise Digital Assistant from Motorola (EDA)-

http://www.motorola.com/business/US-...008406b00aRCRD.

In this state, this could not be considered as a paayment terminal.

Now, the manufacturer comes with the clip on, which contains of magstripe reader and emv chip reader.

http://www.motorola.com/Business/US-...t_Mobile_US-EN

This clip on is PCI-PED 2.0 certified and causes that EDA becomes EMV and MGStripe payment terminal when you connect it.

Now, the question is - Could EDA, which is not pci-ped certified (it could not be, because it´s not POS without clip on) be put to production environment as a POS with mentioned clip-on certified by PCI-PED ??? Does the clip on play the main role in this case ? UFF thank you very much.

Laura

[lyalc]

Having read the materials on the clip-on device, it suggests that the certification and payment functionality is limited to the device, not the combined unit.

However, I suggest there are really only 3 options:

1. Contact the manufacturer and confirm what the PED certification covers (clip on, PDA + clip-on, or clip on, PDA + clip-on + integrated POS software on the PDA terminal etc).
2. Contact the SSC and ask the same question
3. Assume that the certification applies to the clip on and possibly the software on the PDA terminal

The payment related software on the PDA terminal may need to be PA-DSS compliant depending on the internal data flows, what fields are encrypted by which component, and how those keys are managed.

Again, the vendor is the best place to start looking into this.

lyalc

[andrewj]

For your specific question - the add-on device has PCI PTS approval, and this is the part which is directly affected by any brand mandates regarding PED approvals and deployment. The application on the PDA certainly may fall in scope of brand mandates for PA DSS, but not for PED (for this device).