SSC PED Suspension: Impacts liability protection?

I don’t know if you’ve been following Diana’s series of updates on this topic via Twitter or not, but as Diana mentioned in that forum, there’s been some recent activity regarding a few PED devices that have allegedly had their compliance status revoked – specifically the Ingenico i3070MP01 and the i3070EP01.

It’s all very interesting.  Short story: a recent breach brought to light the fact some PCI-approved PIN terminals were open to attack.  The Standards Council working together with Ingenico, yanked the certification status from these devices.  Visa announced the problem, and issued a memo outlining the issue.

It frankly surprises me that the council has chosen to take  stance that they have.  In other words, the “security first” road would seem to be less appealing in the face of what will without doubt turn out to be a maelstrom of negativity.  Why?  Because under current rules, using a PCI-approved PED provides liability protection to members: in other words… like those bumper stickers you see about jesus and peace: know approved devices, know liability protection; no approved devices, no liability protection.

So in absence of any clarification to the contrary, we have to assume that anybody  using these particular devices (the ones removed from the list just now) went to bed the other day under the umbrella of protection from liability in the event of fraud – and woke up to not having any protection.  Now, I don’t know – maybe Visa has something special worked out with folks who are using these currently – or that maybe just recently purchased this make/model.   But if so, I’m not seeing much wiggle room in the public statement:

5. How do the PED security requirements apply to the existing attended POS PEDs already installed?
To retain liability protection, Members (or their Agents) have until 1 July 2010 to ensure that all of their installed attended POS PED models have been approved by Visa. PEDs must be on the current approved list at www.pcisecuritystandards.org/pin or the expired approval list at www.visa.com/pin.

Anyway, point being that I think it’s brave of Visa and the council to take this particular measure.   It appears as if they’ve chosen security over pressure from constituency; it makes me happy since it’s the exact opposite of what happened with WEP in prior versions of the DSS.