Retailers love their PCI 3.0-compliance payment terminals. In fact, many kept the relationship going strong even as 4.0 and then 5.0 models appeared, continuing to buy 3.0 devices. But it’s time for the dreaded breakup talk, because there’s some sad news: As of April, 30, 2020, manufacturers are no longer permitted to sell terminals that comply with PCI PTS POI v3.X.
With just over a half a year left, retailers must think about what comes next. While they can keep using 3.0 terminals, soon they won’t be able to buy more, and support will eventually end. Hopefully Level 10’s handy Q&A on relationship advice will help retailers move on:
Q: Are we allowed to keep using our PCI PCT 3.0-compliant payment terminals?
A: Yes, the only change is that manufacturers can’t sell them; you do not have to replace them all before April 2020. Payment terminal makers also have varied end date for support of the devices so the sun setting of 3.0 does have potential implications for security and fleet management and support. (Contact us for official EOS documentation from the industry's major payment terminal OEMs.)
Q: What about 3.0 terminals we may have in storage, can we use those?
A: Yes, as long as you purchased and took delivery of the devices before the expiration date. However, you should also check with your acquirer to see if they have any usage requirements. They may want you to start replacing 3.0 devices at some point.
Q: Does continuing to use 3.0 payment terminals mean we will have PCI compliance issues?
A: It shouldn’t, as long as you are using a device that was compliant at the time of purchase. To date, the PCI Council has not issued any sort of remove-from-service requirement for 3.0 devices.
Q: Are PCI 3.0-compliant devices secure?
A: Every PCI release improves on security, so a 4.0-compliant device has more stringent security built in than a 3.0 device, and a 5.0-compliant device is even more secure. So someone seeking points of vulnerability in retailers’ defenses may be more likely to target one with the lesser amount of protection.
Q: Can we upgrade our 3.0 devices to 4.0 or 5.0 in the field?
A: No, once a device is certified, it cannot be modified.
Q: Should we start buying 4.0- or 5.0-compliant terminals?
A: A 5.0 terminal has the latest security and will provide the longest lifespan; terminals that are 4.0-compliant are due to sunset in April 30, 2023. But retailers need to make their own decisions, such as whether they prefer a homogenous environment, or one that mixes 4.0 and 5.0 terminals.
Q: What about support?
A: Those retailers that prefer one device across the enterprise often do so to ease service and support; it can be more difficult to support a mixed environment.
Another consideration how long the payment terminal manufacturer will continue to offer support on older models. If a device isn’t selling well, or its components become hard to locate, they may end support sooner than the typical pattern of waiting two to three years past the sunset date.
Q: What should we do now?
A: The immediate need to is create a roadmap. Visa recommends these steps:
- Actively plan for the replacement of devices prior to the expiration date
- Invest in PEDs with the highest version to reap the benefits from the latest security
- Do not sell expired devices to secondary markets
- Do not use expired devices for new deployments
- Remove expired devices from production environments
Retailers don’t have to make these decisions alone. In addition to selling payment terminals, Level 10 can provide advice as well as services to make it easy to swap out devices, such as configuration and installation. We also offer repair services and estate management to remotely support payment devices.
It’s hard to quit something that has worked well for so long. But a relationship with a payment terminal can never be long term. It’s time for retailers to get back out there and fall in love with new devices that offer the best combination of lifespan, compliance and security.