Today's statement referred to the need for RKI "services" to be compliant with PCI standards, while making no mention of the need for the devices to be compliant. MasterCard did not respond to a request for further clarification.

But their message appears to be the same as the June bulletin, which is that companies cannot use remote key injection services unless their devices are PCI PED (Payment Card Industry Pin Entry Device)-compliant, Taylor said.

The PCI PED standard went into effect in mid-2007 and requires all merchants to ensure that the PIN-entry devices at the point of sale terminals meet some minimum security standards.

First products compliant with the standard became available sometime towards the end of 2007. As a result, an unknown number of installed PEDs are likely to be non-PCI compliant and therefore not permitted to use RKI, even though many of the devices are capable of securely accepting remotely injected keys, Taylor said.

MasterCard's rule leaves merchants who are using non-PCI PED compliant devices with a couple of options, Taylor said. The first: To simply have the upgrade to TDES done in the traditional manner at a secure facility at an offsite Encrypting Service Organization.