Following the latest events concerning the outbreak of coronavirus disease (COVID-19), the Payment Card Industry Security Standards Council (PCI SSC) is developing a series of activities internally and with its partners to prevent the spread and ensure the security of all personnel involved in the security of card payment transactions. 

In this regard, the following guidelines have been established: 

1. Extension of the expiration dates of PCI PTS devices approved under version 3: on April 30, 2020, PIN Transaction Security Point-of-Interaction (PCI PTS) v3 devices would be declared expired (including PEDs (PIN entry devices) and non-PEDs, EPPs (encrypting PIN pads), UPTs (unattended payment terminal), and SCRs (Secure Card Readers)). Depending on the criteria of each brand of the payment card, expired devices fall into a category that includes some restrictions of acquisition and deployment, as they could be affected by the most recent generations of attacks

Due to coronavirus-related supply chain disruptions, the PCI SSC has extended the expiration date of devices certified under version 3 to April 30, 2021 (one additional year from the original date): 

PCI PTS extension time

However, for those regions or entities not currently affected by the outbreak, the PCI SSC recommends that the initial replacement plan towards version 4 or 5 certified devices be continued. 

More information: 

2. Execution of remote formal compliance assessments: to prevent possible infections from meetings, travel, conferences and other events involving the congregation of groups of people, PCI SSC has recognized the need to prioritize the health and safety of all personnel involved in conducting formal assessments of compliance with its standards. To this end:

  • The execution of compliance validations is allowed remotely, as long as the assessor is restricted from traveling to perform the on-site evaluations. This will mean that all compliance validation tasks performed remotely will follow the same levels of security and integrity as the on-site assessments.  
  • The compliance reports should notify that the validation actions were performed remotely and list the relevant actions that were considered to ensure the required safety levels.  
  • Assessor companies may choose to use qualified local consultants to assist with the assessments. In this case, the performance of on-site tasks can be delegated to subcontracted assessors. 

More information 

3. Postponement of different PCI SSC events: the PCI SSC Forum in India (India Town Hall) has been canceled, while the dates for the Latin America Forum are being reviewed to ensure the safety of all attendees. For now, the training courses continue with the same dates.

More information: 

The PCI SSC has published a web page that will provide updated information on actions related to coronavirus management at https://www.pcisecuritystandards.org/covid19 

 At Advantio we are also aware of this exceptional situation, so we will be constantly monitoring the situation and informing our clients and business partners to avoid risk as much as possible and minimize the impact of this situation on daily operations.  

David E. Acosta

Written by David E. Acosta

I am the Senior Security Consultant in Advantio. I have more than 15 years of experience, working both in South America and Europe. My information security background includes consultancy and audit, training, implementation of security technologies and design and policy development among others.

Certifications: CISSP, CISM, CISA, CRISC, CEH, CHFI, PCI QSA, QSA (P2PE), 3DS Assessor

Comments