The bulletin was interpreted by some as a signal that as a way to do the upgrade, instead requiring merchants ship terminals to secure offsite locations for upgrades.
After initially not responding to 's requests for clarification, MasterCard today said in a statement that the bulletin was only meant to provide guidance stating the most secure option for upgrading was to have it performed at a key injection facility.
However, it said, merchants can use "Remote Key Injection services to upgrade the terminals if those services meet all aspects of the PCI [Payment Card Industry] Pin Security Requirements."
MasterCard's guidance around RKI comes at a time when merchants are under a deadline to upgrade their POS terminals to support Triple Data Encryption Algorithm (TDES) standards. Many had planned on using emerging remote key injection services to upgrade their systems over the network automatically rather than having to dismantle each device and ship them to an offsite facility for upgrade.
The wording in MasterCard's explanation today is slightly different from the original bulletin also. The bulletin had appeared to specifically prohibit non PCI-compliant PIN entry devices from RKI, said Stuart Taylor, VP of global solutions and marketing at Hypercom Corp., a vendor of electronic payments products.