One single type of payment terminal (the Verifone H5000), a rather old platform, officially announced End of Life 2018 with some sort of support until 2023, brought down big parts of card payment all over Germany as one of the embedded certificates expired unnoticed on Tuesday.

Turns out this terminal is still being installed as new by many local payment service companies. It is cheap (as it is EOLed) and quite robust. But seemingly no one noticed the expiration date of a certificate that is needed to get authorisation from the German payment system for every transaction.

Seems such an update will need some kind of manual intervention (as in a service technician physically interacting with the device) so it’s quite a nightmare from a logistical perspective.

And of course the trolls and conspiracy idiots immediately claim that also ATMs stopped working and the war in Ukraine is somehow to blame. Le sigh.

Obviously, as this is a specific certificate for the German clearing/payment backend, the responsibility lies with the German company that owns the certification for this device in the German market. The manufacturer however also needs to help to get it fixed.

Sources. “the official PCI 3 expiration date is April 30, 2021 […] Products with expired PCI 3 approvals are not eligible for new sale or new deployments other than repair and replacement of like products.”

@jwildeboer It first smells to me like a 10years valid VPN certificate.

@Reizzentrum Yep. Sort of. According to one of my insider contacts 11 years ;) And the final, final date to update was 2021-12-25. Christmas Day. Oops.

Does the expired PCI 3 certificate not affect the functionality of the devices?
How comes that this issue suddenly pops up in May 2022 while the PCI 3 certificate expired in April 2021. Shouldn't the devices just have stopped working last year?

I remember news about other cases of expired certificertificates where entire websites went down because the SSL certificate expired. So there was no functionality beyond this point. Is this a different case?

@Lanthanus As I’ve quoted from the announcement - they can continue to be used at existing installations, but should not be deployed at new installations.

@Lanthanus also - PCI3 is a certification of compliance. Not a certificate ;)

Thanks for the clarification! Seems that I confused these 😅

@jwildeboer this is such an operations/management fuckup that it's only the lack of broad understanding of certificates that keeps the responsible ones in their jobs.

@jwildeboer we were told our devices shall remain connected and powered to supply the update remotely but nothing happened since Tuesday....

@stefan Keep em running. An update for a platform that has lost its PCI3 certification in April 2021 needs a bit of time ;)


Doesn’t surprise me. I’m in the profession and it sometimes happens to me as well.

@mvanderheide it shouldn’t happen. This will cause a lot of court cases etc by vendors/merchants against their payment service provider who will try to get it back higher up. What a mess. I tried to document the situation to make sure people understand what really happened and that it is a rather catastrophic oopsie but not some sort of hacker attack or conspiracy.

@mvanderheide @jwildeboer sooo... I can reclaim all payments done on these devices since then?

@jwildeboer Oh, THAT is why I saw or heard about "no card payment possible" problems in multiple shops today...

@jwildeboer @loehwe This is simply ridiculous and embarrassing. Something similar happened in a company I know, which is kinda funny, but they don’t offer a service even remotely that size. But it shows that people tend to forget about things as soon as they seem to work without issues.

@schreiblehrling @jwildeboer expired certificates, always a classic ... fortunately, usually the impact is not as huge

😆😂 omg, I didn't search for the cause, and was just wondering today, why I still can't pay with card.. 😆😂🤣🤣🤣

Ein einziges Zahlungsterminal (das Verifone H5000), eine ziemlich alte Plattform, die offiziell das Ende des Lebenszyklus 2018 mit einer Art Unterstützung bis 2023 ankündigte, brachte große Teile der Kartenzahlung in ganz Deutschland zum Erliegen, da eines der eingebetteten Zertifikate unbemerkt auslief Dienstag.

@jwildeboer Germans simply aren't very good at this capitalism thing *shoulderliftingemoji*

@jwildeboer Considering I can only pay with card in one out of five shops and thus have to carry cash anyways, this is only a minor inconvenience.


Sign in to participate in the conversation

Mastodon instance for people with Wildeboer as their last name