PCI 1.3 vs. 2.0 vs. 2.1… What Does It All Mean?

By now, I’m sure you’ve all been exposed to the talk about PCI 1.3 terminals, PCI 2.0 terminals, PCI 2.1 terminals and why one is better than the other.  Since this year’s National Retail Federation show this January, the landscape has become a little bit clearer.  For those of you who want to know more about the PCI mandates and what they mean to you and your multilane customers, read on.

There are basically three PCI mandates that terminal manufacturers and merchants have had to concern themselves with.  They are PCI versions 1.0, 2.0 and 3.0.  These mandates lay out physical security requirements that terminal manufacturers have to meet (as tested by independent laboratories) in order to manufacture and sell new terminals. The basic mandates are released every few years as new technologies and methods are developed to fight against physical and communication security breaches.

In the middle of the last decade, terminals began to be manufactured that met the first PCI standards (V1.0 with added further addendums to V1.3).  After 2007, terminals that did not meet these standards could no longer be purchased or installed.  These terminals met new standards and will be certified for sale and installation until 2014.

Towards the end of the decade, PCI 2.0 specifications were released that included added security as well as things like encrypted card readers etc.  These terminals have been certified for sale and installations through the end of 2017.  The V2.0 mandate has had certain documents updated and has changed to V2.1.  For the purpose of security however, V2.0 and V2.1 are identical.  It was also announced that PCI V3.0 mandate specifications would be released in the 2010-2011 timeframe.

So where does that leave everyone?  Let me begin by saying that V1.3 devices (most of the newest PCI terminals in the field today) are safe and certainly contain far more security than those terminals sold previous to 2008. No merchant should fear that they are somehow “stuck” with a V1.3 device that makes them vulnerable to a breach.  Version 1.3 terminals when encrypted with TDES keys should be quite secure. They should, however, be made aware that there is a new generation of terminals being introduced that contain even newer security features that are certified for sale and installation through the end of 2017. While most V1.3 terminals should be produced by manufacturers through their certification period (2014), V2.1 devices will have an additional 3 years of availability. Obviously, when V3.X terminals are introduced (2-3 years from now) they will have yet another extended certification period.

Hypercom and UIC both announced V2.X products in 2009. Hypercom announced an upgraded L4150 product that meets the new V2.X standards and UIC introduced the PP795 that is 2.X compliant. Both had deliverable products in Q4 of 2009. In mid January, VeriFone announced that they would be offering the MX8XX product line in 2.X certified form.  ViVotech announced two terminals (8600 and 8800) that are V2.X certified.

So now, everyone has jumped into the fray with some version of a PCI V2.X product. Some terminals are deliverable today and the rest will be available sometime later in 2010.

The rules remain the same as they have always been. The merchants and acquirers are liable for breaches if they don’t have TDES after July 1, 2010. Fines for non-compliance could be as high as $500,000 for each occurrence. Additionally, compromised terminals such as the VeriFone PP101, 201, 2000, Everest P003-3XXX, Hypercom S7S, S8, Ingenico eNCrypt 2100 and eNCrypt 2400 (also known as the C2000 Protégé) should be removed immediately from service to avoid merchant liability. Only POS PED devices that are PCI 1.3 or higher should be purchased for installation at a merchant’s location.

A higher level of security is always better. Visa Best Practices advise 2.X terminals for installations going forward.

POSDATA can help you when your customers have any questions. We have the latest information on products and the availability of 2.X devices. Call your sales representative for more information.