Waiting Until a Compliance Deadline is Looming
is Expensive, Disruptive and Unfair for the
Merchants Caught in the Vortex

By: Biff Matthews, President, Cardware International

This morning, I ordered a  “count-down clock” for our home page.  It will tick-away
the days and hours remaining until July 1, 2010 – the deadline for compliance with
the PCI PED pin pad security mandate.

I do not think this action is premature, or melodramatic (both have been alleged.) 
What I do think is that we will all suffer if we do not act on this soon.  It won’t be
Y2K, but there will be similarities to the chaos, confusion and dollars wasted in the
name of that event.  The difference is, this time, it’s totally avoidable.  Getting in
compliance sooner rather than later is not difficult, or costly.  But neither of those
will be true for long. 

The primary PCI DSS mandate requires that all PCI PED pin pads be compliant
with new security standards by July 1, 2010.  This will necessitate a lot of equipment
being moved around, and the decommissioning of non-compliant devices. 

There are 3 parts to of the puzzle.  Noncompliant units have not been manufactured
for several years, but there are many still in use and they must be replaced.  So much
for the easy part.

A second caveat regards VISA PED devices, and there is continuing debate on how
long these can remain in service.  Some sources close to the issue say late 2010 and
others say units can be used “indefinitely” as long as they continue to function.
Remanufacturing of these is not viable and is cost-prohibitive.   

The third piece of the puzzle is PCI PEDs.  These are units manufactured with the
highest security provisions.   As of January, 2008, only PCI PED units were
authorized for deployment.  Unless, of course you “had inventory.”   Then, the
“race period,” became a grace period.  For awhile.

The current priority is to get a determination from the PCI Security Standards
Council, whether those VISA PED devices must be replaced, or can be used indefinitely,
and/or if a VISA PED device with an internal pin pad can be converted to terminal-only
operation, with encryption removed and external PCI PED pin pad attached to it.   

That  popular “middle ground” of VISA PED is where the unanswered questions reside.  
But regardless, three things are certain:  there will be deadlines, there are requirements,
and the reality of a massive crunch will intensity as the date draws closer.  The reasons
for this inevitable pin pad doomsday are:

1.  Time.  Substantial man-hours are required to encrypt and deploy a
PCI PED device and to retrieve non-compliant units from service.

2.  Supply. As the compliance deadline approaches, it is unclear whether
and how manufacturers will satisfy the demand for new units.    

The expectation of the card associations, and the PCI DSS Council is that between
now and 2010, those VISA PED devices will fail as a matter of course, and will be
replaced with PCI PED devices.  However, a pin pad doesn’t experience wear like a
terminal or printer, and their incidence of failure is less -  and less predictable. 
To expect all VISA PED devices slated for replacement by 2010 to malfunction
before then is unrealistic.

I believe it’s incumbent on all of us to help bring merchants into compliance
with the new standards quickly.  Procrastination will cause a collision of logistics,
people and product that will benefit no one.  In addition, will merchants be eager
to pay the inevitable premium for rush service – and, to boot, immediately prior
to the Christmas selling season?  Mandates aside, there are a few laws that everyone
understands, and one is supply and demand. We can all be proactive and avoid
premium expense and uncertain supply.  Or not. 

Particularly in these uncertain economic times, no manufacturer can afford to
produce products in advance of an unknown, uncertain future demand.  There is
no way to determine how many of the non-secure devices remain in use, and how
many VISA PED devices have been retired.  If I made 12 million, are there 8 million
in existence now?  7?  10?  I made and sold 12 million;  that’s all I know. 
And no one today manufactures in anticipation of demand.

From a sales standpoint, you want your merchants to benefit from best-available
processing security.  This necessary upgrade in order to secure these devices is
analogous to the move to HDTV.  The ruling body (in this case, the US government)  
mandated HD transmission by a date certain, and for the consumer, the choices
are to buy a converter box, or a digital-enabled TV.  PED regulations are the
merchant equivalent. 

Units with an internal pin pad may get a second life with addition of an external
pin pad.  (This, assuming that those handling the transition know that when you
plug an external device into the terminal, you have to make sure it does not have
power, or it blows the encryption.) The wholesale cost for this is $45-$75 per unit,
depending on quantity ordered by the end user.  Retail, it’s $75-$125, per unit,
plus shipping, encryption of the pin pad and destruction of the non-compliant device.

In the requirement for “destruction,” of course, many envision “China” and the
black market opportunities of spiriting outdated units across the Pacific.  Thus,
it is wise to not only remove these devices from service, but to document their
destruction by serial numbers.  

Biff Matthews is President of Thirteen Inc, the parent company of
CardWare International.  He is one of 12 founding members of the ETA,
serving on its board, advisory board and committees.  (740) 522-2150

> BACK TO MAIN LIBRARY