PCI PIN Entry Devices (PED) v3.0 Security Approval Expires 30 April 2021
In March 2020, PCI published a security bulletin informing the payment community about PED v3.0 security approvals expiration date being extended for one year. Visa reminds stakeholders the revised expiration date is 30 April 2021.
Visa PIN Security Program requires industry participants to use PCI PTS devices for cardholder PIN entry*. PCI PTS devices are listed on the PCI SSC Approved PTS Device List. Each device is assigned a 10 year security approval expiration date to correspond to the published security requirements the device was evaluated against. For example, PED v3.0 devices were evaluated to security requirements that were published in 2010. The PED v3.0 security approval expiration date is 30 April 2021 (originally 30 April 2020). Note: Devices with expired security approvals are listed separately and can be accessed from the Approved Device page in the Devices with Expired Approval section.
Understanding that attack vectors and threats evolve, the security approval expiration date is an indication the device may no longer be able to withstand modern day attacks, even though the device is still functional. Visa allows continued use of PEDs with expired security approvals but recognizes the risk for compromise and data loss increases past the security approval expiration date.
Organizations that have PTS PEDs with expired a security approval should refer to the Visa PIN Security Program Guide, Appendix B-Visa PED Hardware Requirements to understand Visa’s requirements for expired devices, including purchasing, deployment, usage and sunset/replacement dates for each version.
*Approved PCI SPoC or Visa Ready solutions may be allowed for PIN entry on COTS devices. Contact your regional PIN Program Manager or Visa Ready team for additional information.