May 19, 2005

Visa and Pin Entry Devices Update for ATM and Kiosks

Visa PED update May 17: They announced the compliance date for newly deployed Encrypting PIN pads (EPP): Effective 01 October 2005, all newly deployed EPPs, including replacements or those in newly deployed ATMs, must have passed testing by a PCI-recognized laboratory and have been approved by Visa. The Approval Class has been replaced with Device Type.

Visa PIN Entry Device Approval List

Approved PIN Entry Devices Notes:

1 The PIN Entry Device (PED) Identifier is used by Visa to denote all relevant information which is representative of a Visa Approved PIN Entry Device, consisting of the: Model Name, Hardware #, Firmware #, and, if applicable, Application #. In order to ensure that the PED has received Visa's approval, Visa Acquiring Members or their designated agents are strongly advised to purchase and deploy only those PED models with the information that matches exactly the designations given in the components of the PIN Entry Device Identifier.

Example of a PIN Entry Device (PED) Identifier (four components):

PED Model Name/Number:     Acme PIN Pad 600
Hardware #:     NN-421-000-AB
Firmware #:     ver. 1.01
Applic. #:     Visa 4.5.3

2 Hardware # represents the specific Hardware component set used in the PED approved by Visa. The fields that make up the Hardware # may consist of a combination of fixed and variable alphanumeric characters. A lower case "x" is used by Visa to designate all variable fields. The "x" represents fields in the Hardware # that the manufacturer can change at anytime to denote a different PED configuration, examples include: country usage code, customer code, language, device color, etc. The "x" field(s) has been assessed by the laboratory and Visa as to not impact Visa's PED security requirements or the manufacturer's approval with Visa. In order to ensure that the PED has received Visa's approval, Acquiring Members or their designated agents are strongly advised to purchase and deploy only those PEDs with the Hardware # whose fixed alphanumeric characters match exactly the Hardware # depicted on the Visa Approval List or the manufacturer's approval letter from Visa. (PED manufacturers may have produced PEDs with the same Model Name/Number prior to validation of compliance by the laboratory that do not meet Visa's PED security requirements.)

Examples on the use of Hardware #'s

Hardware # of PED
Listed on the Visa PIN Website
Comments
NN-421-000-AB Hardware # NN-421-000-AB of the PED Identifier does not employ the use of the variable "x." Hence, the PED being deployed must match the Hardware # exactly in order for the PED to be considered a Visa approved PED (Hardware component).
NN-4x1-0x0-Ax Hardware # NN-4x1-0x0-Ax of the PED Identifier does employ the use of the variable "x." Hence, the PED being deployed must match the Hardware # exactly in only those position(s) where there is no "x."
Actual Hardware #'s of PED
Supplied by Manufacturer
 
NN-421-090-AC If the Visa PIN website lists NN-421-000-AB as the Hardware # in the PED Identifier, then the PED with the Hardware # NN-421-090-AC cannot be considered a Visa approved PED (Hardware component).
However, if the Visa PIN website lists NN-4x1-0x0-Ax as the Hardware # in the PED Identifier, then the PED with Hardware # NN-421-090-AC can be considered a Visa approved PED (Hardware component).
NN-421-090-YC
If the Visa PIN website lists NN-4x1-0x0-Ax as the Hardware # in the PED Identifier, then the PED with the Hardware # NN-421-090-YC cannot be considered a Visa approved PED (Hardware component).

3 Device Type is used by Visa to ensure that Visa's PED approvals accurately describe today's ever-evolving PED designs and implementations. All PEDs approved by Visa, regardless of the designated Device Type, carry Visa's full approval status. Acquiring Members or their designated agents should make sure that they understand the Device Type description, as they represent how the PED has met the PED security requirements. The Device Type categories are:
POS-A: The PED has met all of the applicable POS PED security requirements, either the Visa or PCI version, but the end-user, acquirer or reseller cannot modify the PED's firmware or PED's payment application to make changes to the device's prompts or PIN entry controls. Only the PED's original equipment manufacturer has the capability to modify the prompts and controls for PIN entry. POS-A represents all of the PEDs that were formerly designated as Class A.

POS-B: The PED has met all of the applicable POS PED security requirements, either the Visa or PCI version; and, the original equipment manufacturer has shipped the PED with mechanisms for controlling the PED display and its use in place. These mechanisms can be employed to unlock the PED for updates of the prompts by the acquirer, using proper cryptographically controlled processes as defined in the applicable PED security requirement. The reseller or end-user, if authorized by the acquirer, can also make updates, using proper cryptographically controlled processes. Devices must be deployed locked. In any case, the Acquiring Member is always responsible to ensure that appropriate processes and documented procedures are in place to control the PED display and usage. POS-B represents the majority of POS PEDs that were formerly designated as Class B.

EPP: A device for secure PIN entry and encryption, but without a display and card reader, has met the applicable Visa PED security requirements for Online PIN entry for the devices functionality, or has met all of the applicable PCI EPP requirements. An EPP is typically used in an ATM for PIN entry and is controlled by an ATM device controller. An EPP has a clearly defined physical and logical boundary, and a tamper-evident or tamper-resistant/responsive shell encasing. At a minimum, a device submitted for EPP approval consideration must contain a PIN entry keypad along with its built-in secure cryptographic module. Original equipment manufacturers (OEMs) or providers of encrypting PIN pads (EPPs) to ATM manufacturers and cash dispensers can submit just an EPP for laboratory testing and approval consideration by Visa. As an integral component of a complete and fully functional PED, an approved OEM EPP can be used in another payment device such as an ATM, to minimize testing redundancy. ATMs using an approved EPP are still required to go through a laboratory evaluation in order to obtain Visa's approval of the ATM. EPP represents the majority of devices that were formerly designated as Class C.

ATM: The ATM has met all of the applicable Visa PED security requirements for Online PIN entry. An ATM approved by Visa will always contain a PIN entry device which has been validated against the applicable security requirements. ATM device type represents ATM devices that were formerly designated as Class B.

AFD: AFD represents all PIN entry devices that have been validated against the applicable security requirements, and have been designed and marketed to be used at automated fuel dispensers (AFDs). These devices were formerly designated as either Class A or B.
4 TDES Capable denotes whether the laboratory has successfully evaluated the PED to support the use of Triple DES (TDES) for PIN encryption for either online PIN or transport of the PIN between secure components for offline PIN support. A MK/SK, DUKPT, and/or Fixed designation denotes that the device has been evaluated successfully to support the implementation of TDES for that particular key management scheme(s). If no designation has been made (e.g., a blank space), then the device does not support the use of TDES. Note: DUKPT is the only "unique key per transaction (UKPT)" algorithm (ANSI X9.24 - 2002) that Visa recognizes and approves; all other forms of UKPT tested by the laboratory will not be depicted in the Visa approval letter or on this website.

5 EMV Level 1 denotes whether the laboratory has successfully reviewed the manufacturer's claim that the PED has received EMVCo Terminal Type Approval Level 1, by inspecting the manufacturer's EMVCo Level 1 approval letter and/or reviewing the information on the EMVCo website. A check mark "" denotes that the laboratory has successfully inspected the manufacturer's claim that the device has received EMVCo Terminal Type Approval Level 1.

PIN Entry Evaluated denotes the type of PIN entry verification that can be supported by the PED. Online represents that the PED has the capability to support Online PIN verification by the payment cards issuer or its designated processor. (Note: Visa requires that the PED has the capability of using TDES to protect the PIN, if the PED supports Online PIN entry, or if the PIN needs be protected during transport in nonintegrated Offline PEDs.) Offline represents that the PED has the capability to support Offline PIN verification by the payment cards integrated chip. Unless otherwise noted, the Offline designation, without any suffix, in the Visa PED Approval List represents that the PED has the capability to support both plaintext and enciphered Offline PIN verification. The Offline(p) designation with the (p) as a suffix represents that the Offline PED has the capability of performing only plaintext Offline PIN verification. (Note: Visa will not approve any Offline PEDs that can only support enciphered Offline PIN verification because Visa requires that if the PED supports enciphered Offline PIN verification, then the PED must also support plaintext Offline PIN.)

reference link Posted by keefner at May 19, 2005 02:03 PM