Visa and Pin Entry Devices Update for ATM and Kiosks
Visa PED update May 17: They announced the compliance date for newly deployed Encrypting PIN pads (EPP): Effective 01 October 2005, all newly deployed EPPs, including replacements or those in newly deployed ATMs, must have passed testing by a PCI-recognized laboratory and have been approved by Visa. The Approval Class has been replaced with Device Type.
Visa PIN Entry Device Approval List
Approved PIN Entry Devices Notes:
1 The PIN Entry Device (PED) Identifier is used by Visa to denote all
relevant information which is representative of a Visa Approved PIN
Entry Device, consisting of the: Model Name, Hardware #, Firmware #,
and, if applicable, Application #. In order to ensure that the PED has
received Visa's approval, Visa Acquiring Members or their designated
agents are strongly advised to purchase and deploy only those PED
models with the information that matches exactly the designations given
in the components of the PIN Entry Device Identifier.
Example of a PIN Entry Device (PED) Identifier (four components):
PED Model Name/Number: |
|
Acme PIN Pad 600 |
Hardware #: |
|
NN-421-000-AB |
Firmware #: |
|
ver. 1.01 |
Applic. #: |
|
Visa 4.5.3 |
2 Hardware # represents the specific
Hardware component set used in the PED approved by Visa. The fields
that make up the Hardware # may consist of a combination of fixed and
variable alphanumeric characters. A lower case "x" is used by Visa to
designate all variable fields. The "x" represents fields in the
Hardware # that the manufacturer can change at anytime to denote a
different PED configuration, examples include: country usage code,
customer code, language, device color, etc. The "x" field(s) has been
assessed by the laboratory and Visa as to not impact Visa's PED
security requirements or the manufacturer's approval with Visa. In
order to ensure that the PED has received Visa's approval, Acquiring
Members or their designated agents are strongly advised to purchase and
deploy only those PEDs with the Hardware # whose fixed alphanumeric
characters match exactly the Hardware # depicted on the Visa Approval
List or the manufacturer's approval letter from Visa. (PED
manufacturers may have produced PEDs with the same Model Name/Number
prior to validation of compliance by the laboratory that do not meet
Visa's PED security requirements.)
Examples on the use of Hardware #'s
Hardware # of PED
Listed on the Visa PIN Website |
Comments |
NN-421-000-AB |
Hardware # NN-421-000-AB of the PED Identifier does not employ the
use of the variable "x." Hence, the PED being deployed must match the
Hardware # exactly in order for the PED to be considered a Visa
approved PED (Hardware component). |
NN-4x1-0x0-Ax |
Hardware # NN-4x1-0x0-Ax of the PED Identifier does employ the use of the variable "x." Hence, the PED being deployed must match the Hardware # exactly in only those position(s) where there is no "x." |
Actual Hardware #'s of PED
Supplied by Manufacturer |
|
NN-421-090-AC |
If the Visa PIN website lists NN-421-000-AB as the Hardware # in
the PED Identifier, then the PED with the Hardware # NN-421-090-AC cannot be considered a Visa approved PED (Hardware component).
However, if the Visa PIN website lists NN-4x1-0x0-Ax as the Hardware # in the PED Identifier, then the PED with Hardware # NN-421-090-AC can be considered a Visa approved PED (Hardware component). |
NN-421-090-YC
|
If the Visa PIN website lists NN-4x1-0x0-Ax as the Hardware # in the PED Identifier, then the PED with the Hardware # NN-421-090-YC
cannot be considered a Visa approved PED (Hardware component). |
3 Device Type is used by Visa to ensure that
Visa's PED approvals accurately describe today's ever-evolving PED
designs and implementations. All PEDs approved by Visa, regardless of
the designated Device Type, carry Visa's full approval status.
Acquiring Members or their designated agents should make sure that they
understand the Device Type description, as they represent how the PED
has met the PED security requirements. The Device Type categories are:
POS-A: The PED has met all of the applicable POS
PED security requirements, either the Visa or PCI version, but the
end-user, acquirer or reseller cannot modify the PED's firmware or
PED's payment application to make changes to the device's prompts or
PIN entry controls. Only the PED's original equipment manufacturer has
the capability to modify the prompts and controls for PIN entry. POS-A
represents all of the PEDs that were formerly designated as Class A.
POS-B:
The PED has met all of the applicable POS PED security requirements,
either the Visa or PCI version; and, the original equipment
manufacturer has shipped the PED with mechanisms for controlling the
PED display and its use in place. These mechanisms can be employed to
unlock the PED for updates of the prompts by the acquirer, using proper
cryptographically controlled processes as defined in the applicable PED
security requirement. The reseller or end-user, if authorized by the
acquirer, can also make updates, using proper cryptographically
controlled processes. Devices must be deployed locked. In any case, the
Acquiring Member is always responsible to ensure that appropriate
processes and documented procedures are in place to control the PED
display and usage. POS-B represents the majority of POS PEDs that were
formerly designated as Class B.
EPP: A device for
secure PIN entry and encryption, but without a display and card reader,
has met the applicable Visa PED security requirements for Online PIN
entry for the device�s functionality, or has met all of the applicable
PCI EPP requirements. An EPP is typically used in an ATM for PIN entry
and is controlled by an ATM device controller. An EPP has a clearly
defined physical and logical boundary, and a tamper-evident or
tamper-resistant/responsive shell encasing. At a minimum, a device
submitted for EPP approval consideration must contain a PIN entry
keypad along with its built-in secure cryptographic module. Original
equipment manufacturers (OEMs) or providers of encrypting PIN pads
(EPPs) to ATM manufacturers and cash dispensers can submit just an EPP
for laboratory testing and approval consideration by Visa. As an
integral component of a complete and fully functional PED, an approved
OEM EPP can be used in another payment device such as an ATM, to
minimize testing redundancy. ATMs using an approved EPP are still
required to go through a laboratory evaluation in order to obtain
Visa's approval of the ATM. EPP represents the majority of devices that
were formerly designated as Class C.
ATM: The ATM
has met all of the applicable Visa PED security requirements for Online
PIN entry. An ATM approved by Visa will always contain a PIN entry
device which has been validated against the applicable security
requirements. ATM device type represents ATM devices that were formerly
designated as Class B.
AFD: AFD represents all PIN entry devices that have been
validated against the applicable security requirements, and have been
designed and marketed to be used at automated fuel dispensers (AFDs).
These devices were formerly designated as either Class A or B.
4 TDES Capable denotes whether the laboratory has successfully evaluated the PED to support the use of Triple DES (TDES)
for PIN encryption for either online PIN or transport of the PIN between secure components for offline PIN support. A MK/SK,
DUKPT, and/or Fixed designation
denotes that the device has been evaluated successfully to support the
implementation of TDES for that particular key management scheme(s). If
no designation has been made (e.g., a blank space), then the device
does not support the use of TDES. Note: DUKPT is the only "unique key
per transaction (UKPT)" algorithm (ANSI X9.24 - 2002) that Visa
recognizes and approves; all other forms of UKPT tested by the
laboratory will not be depicted in the Visa approval letter or on this
website.
5 EMV Level 1 denotes whether the
laboratory has successfully reviewed the manufacturer's claim that the
PED has received EMVCo Terminal Type Approval Level 1, by inspecting
the manufacturer's EMVCo Level 1 approval letter and/or reviewing the
information on the EMVCo website. A check mark "" denotes that the laboratory has successfully inspected the manufacturer's claim that the
device has received EMVCo Terminal Type Approval Level 1.
PIN Entry Evaluated denotes the type of PIN entry verification that can be supported by the PED. Online
represents that the PED has the capability to support Online PIN
verification by the payment card�s issuer or its designated processor.
(Note: Visa requires that the PED has the capability of using TDES to
protect the PIN, if the PED supports Online PIN entry, or if the PIN
needs be protected during transport in nonintegrated Offline PEDs.) Offline
represents that the PED has the capability to support Offline PIN
verification by the payment card�s integrated chip. Unless otherwise
noted, the �Offline� designation, without any suffix,
in the Visa PED Approval List represents that the PED has the
capability to support both plaintext and enciphered Offline PIN
verification. The �Offline(p)� designation with the
�(p)� as a suffix represents that the Offline PED has the capability of
performing only plaintext Offline PIN verification. (Note: Visa will
not approve any Offline PEDs that can only support enciphered Offline
PIN verification because Visa requires that if the PED supports
enciphered Offline PIN verification, then the PED must also support
plaintext Offline PIN.)
|