[cabfpub] SHA-1 exception request

Andrew Ayer andrew at sslmate.com
Mon Oct 10 15:35:10 UTC 2016

Questions for First Data:

> Most of these merchants simply need a software update.   If devices
> cannot be upgraded the POS vendor will need to provide a new device
> or application.

How many of the 300,000 terminals simply need a software update?
What does the merchant need to do to apply the software update?

> The POS provider is required maintain PCI compliance of their
> device.  If a known vulnerability were to be detected we would of
> course take appropriate action. 

What would that action be?

If merchants needed to apply a security update to address a
vulnerability, how would you communicate the need to update to
merchants?  How long would merchants have to update?  What would you do
if some merchants had not updated by the deadline?


More information about the Public mailing list