TA Triumph-Adler UK > Home > product-security
Home | product-security

PRODUCT SECURITY AND PSTI COMPLIANCE


The catalyst for trust in product security.

New UK legislation comes into force on 29th of April 2024. The Product Security and Telecommunications Infrastructure (PSTI) regulations are long overdue and will enable buyers to make informed choices.

The aim is to protect UK businesses and citizens from cyber threats posed by poorly secured consumer IoT connectable products used in homes and the workplace, this includes TA Triumph-Adler’s A4 printers and MFPs.

PSTI covers consumer connectable products such as IoT or smart devices in the UK.  

  • Manufacturers will have to comply with PSTI’s security standards to ensure that the internet or network connectable products they supply are secure by design and build.
  • All businesses involved in the supply chain of these devices will need to comply with the PSTI regulations to ensure only compliant products are released to market.
  • This includes products that are sold or made available in the market as part of a solution or service, such as a Managed Print Service contract.

What are the PSTI requirements?

The new regulations provide a set of security measures to ensure consumer connectable devices are more secure to help tackle the ongoing threats of cybercrime:

 

Weak passwords like ‘Admin 123’ that can be guessed or easily compromised are banned. Compliant products must have a unique password to be legally sold or made available as part of a service in the UK. This applies to both new and refurbished products placed on the market and devices made available as part of a solution or service, such as a Managed Print Service.

The regulations force manufacturers to take responsibility to maintain the products they sell by requiring them to publish a Vulnerability Disclosure Policy. Manufacturers will need to identify and flag any product security vulnerabilities and provide a mechanism for third parties to report identified risks.

The regulations require the minimum length of time that products will be supported with security updates to be published. This will help inform purchasing decisions.

All products made available to the market must be accompanied by a statement of compliance.

 

 

What does it mean for customers?
 

Technically designed to support you

Ultimately PSTI will give customers confidence and help them make informed purchasing decisions. The regulations are a force for good and long overdue. Products are already highly regulated to ensure they do not cause physical harm from overheating, or electrical interference. Now connectable devices will need to protect consumers from cyber harm, including loss of privacy and personal data.

What’s in the box

  • All TA Triumph-Adler A4 printers and MFPs shipped with a Statement of Compliance and a unique password in the box.
  • Packaging will be clearly marked making it easy to identify PSTI compliant products.
 

 

Password reset

Need to reset your device password? Call 0345 680 1815 to talk to our support team or email technical@triumphadler.co.uk.


 

Report a security vulnerability

Click here to report a vulnerability or a known security issue with a TA Triumph-Adler PSTI compliant device.


 

PSTI compliant devices

All TA Triumph-Adler’s A4 printers and MFPs that need to be PSTI compliant out of the box are listed below.

 

TA Triumph-Adler Devices Covered

TA Triumph-Adler UK shall, as standard, support all in-scope devices for a period of no less than three years from the point the relevant model was first made available in the UK.

These support periods are reviewed on a continual basis and extended where it is deemed prudent to do so, for the benefit of the consumer. At no point shall the support periods advertised on this webpage be reduced, therefore not complying with the PSTI legislation. Please refer to the in-scope models and applicable support periods outlined below:

  • 358ci: Date available: July 2023 | End of Support: 31st July 2026
  • 458ci: Date available: July 2023 | End of Support: 31st July 2026

 

  • P-3521 MFP: Date available: November 2016 | End of Support: 31st December 2024
  • P-3522DW: Date available: November 2016 | End of Support: 31st December 2024
  • P-3527w MFP: Date available: November 2016 | End of Support: 31st December 2024

 

  • P-4020 MFP: Date available: November 2016 | End of Support: 31st December 2024
  • P-4020DN: Date available: December 2016 | End of Support: 31st December 2024
  • P-4020DW: Date available: November 2016 | End of Support: 31st December 2024
  • P-4025w MFP: Date available: November 2016 | End of Support: 31st December 2024
  • P-4026iw MFP: Date available: November 2016 | End of Support: 31st December 2024

 

  • P-4532 MFP: Date available: March 2023 | End of Support: 31st March 2026
  • P-4532i MFP: Date available: March 2023 | End of Support: 31st March 2026
  • P-4539 MFP: Date available: March 2023 | End of Support: 31st March 2026
  • P-4539i MFP: Date available: March 2023 | End of Support: 31st March 2026
  • P-5539i MFP: Date available: March 2023 | End of Support: 31st March 2026
  • P-6039i MFP: Date available: March 2023 | End of Support: 31st March 2026

 

  • P-4534DN: Date available: January 2023 | End of Support: 31st January 2026
  • P-5034DN: Date available: January 2023 | End of Support: 31st January 2026
  • P-5534DN: Date available: January 2023 | End of Support: 31st January 2026
  • P-6034DN: Date available: January 2023 | End of Support: 31st January 2026

 

  • P-C2650DW: Date available: November 2016 | End of Support: 31st December 2024
  • P-C2655w MFP: Date available: November 2016 | End of Support: 31st December 2024

 

  • P458ci: Date available: July 2023 | End of Support: 31st July 2026
  • P-C3563DN: Date available: July 2023 | End of Support: 31st July 2026
  • P-C4063DN: Date available: July 2023 | End of Support: 31st July 2026
  • P-C3563i MFP: Date available: July 2023 | End of Support: 31st July 2026
  • P-C3567i MFP: Date available: July 2023 | End of Support: 31st July 2026
  • P-C4063i MFP: Date available: July 2023 | End of Support: 31st July 2026
  • P-C4067i MFP: Date available: July 2023 | End of Support: 31st July 2026

 

Vulnerability Disclosure Policy

TA Triumph-Adler UK are committed to providing secure products and services (referred to as "Products," hereafter) such as MFPs, printers, solutions, and applications.

Cyberattacks have become more severe and sophisticated around the world. TA Triumph-Adler constantly monitors these advanced cyberattacks to reduce cybersecurity risks and enhance customers’ cybersecurity and privacy when using our products. Under these circumstances, our commitment to customers is for us to make a vulnerability response in a timely and efficient manner from the initial investigation up to the resolution of reported vulnerability issues. This commitment enables our customers to use our products securely and with ease.

 

Once a vulnerability is discovered, TA Triumph-Adler focuses on responding promptly and appropriately, including responding to customers based on security vulnerability information. PSIRT (*1) generally proceeds in the following four steps: (1) gathering and sharing security vulnerability information, (2) investigating security issues and analysing their impact on our products, (3) taking security measures against vulnerabilities, and (4) announcing to the public.


 

(1) Gathering and sharing security vulnerability information

TA Triumph-Adler checks security information using official open databases of vulnerability information such as CVE, JPCERT and gathers security information from the press, such as newspapers and the Internet. More information is also provided by contacting the customer’s nearest sales company or by inter-office members.

 

CVE: Common Vulnerabilities and Exposures JPCERT: Japan Computer Emergency Response Team

(2) Investigating security issues and analysing their impact on our products

We investigate and analyse the phenomenon’s effects when a vulnerability is exploited and the difficulty and conditions when a malicious attacker tries to exploit a vulnerability.

(3) Taking security measures against vulnerabilities

After the investigation and analysis, if the results indicate that there is an impact, the development division continues to prepare technical and operational measures, such as applying security patches.

(4) Announcing to the public

We announce our security measures on the TA Triumph-Adler website, the PSIRT contact window, sales companies, or a service person.

We value dialogue with vulnerability reporters, handle reported vulnerability information in good faith, and fulfil our responsibility by disclosing vulnerability information in a timely and appropriate manner.

Circumstances

The Vulnerability Disclosure Policy is applied to include the following circumstances:

  • A potential vulnerability affecting products is disclosed to the public.
  • A potential vulnerability existing in products is reported by an external third party.
  • A vulnerability impacting released products is discovered internally.  

Vulnerability Handling Scope

TA Triumph-Adler considers any individual issues caused by including some weakness in coding or configuration that leads to your vulnerable design are not our vulnerability. We value vulnerability information submitted by reporters. However, whether the reported vulnerability information applies to the vulnerability handling scope will be determined by TA Triumph-Adler PSIRT.

We encourage you to report vulnerability information that can provide us with significant information that helps improve the security of products for customers. Before submission of a vulnerability report, please read this Vulnerability Disclosure Policy thoroughly and follow the process described in the following section (i.e., What to expect) in compliance with this policy. Please also note that we do not have a bug bounty program, so you cannot request monetary compensation based upon acknowledgment of the reported vulnerability.

Contact

If a vulnerability is discovered in our products, submit your vulnerability report using the reporting form below. However, if you do not wish to directly contact TA Triumph-Adler, we recommend submitting your report through the Coordination Centre in your country (i.e., CERT/CC) (*2).

Content

If possible, please submit your report containing the following detailed information:

  • Reporter's name and contact information
  • Name of the product that contains the potential vulnerability
  • The product version that contains the potential vulnerability
  • Type of the potential vulnerability (e.g., Information Disclosure, Privilege Escalation, Remote Code Execution, etc.)
  • Impact of the potential vulnerability
  • Steps in the specific and detailed process to reproduce the potential vulnerability
  • The circumstance that an attacker requires to exploit the vulnerability
  • Proof-of-concept code
  • Public, third-party reports of vulnerabilities (i.e., references)
  • Date when you have discovered the vulnerability
  • Others, additional information
 

(*2) The Coordination Centre coordinates incident response related to stakeholders in your country in the event of an incident.

After a vulnerability is reported to TA Triumph-Adler PSIRT, we acknowledge receipt of the vulnerability report. We handle the process according to the following phases:

Receipt

In the receipt phase, a vulnerability reporter receives acknowledgement within 3 of our working days. The next correspondence is determined upon completion of our initial investigation. We will keep you informed of our vulnerability analysis status.

Verification

In the verification phase, we need to confirm with the respective development divisions for any reported vulnerability. We investigate and analyze the phenomenon's effects when a vulnerability is exploited and the difficulty and conditions when a vulnerability is exploited. We ask that you provide us with a reasonable amount of time (at least 90 days from the acknowledgement) to resolve the issue before you disclose it publicly.

Remediation

In the remediation phase, the respective development divisions complete vulnerability analysis, such as the vulnerability's potential impact on our products, possible effects when the vulnerability is exploited, and the difficulty and conditions when a malicious attacker attempts to exploit the vulnerability and validate software remediation, mitigation, and workaround. Based upon the results, the timeline will be determined so we can take temporary and permanent security measures, respectively. If a vulnerability significantly impacts the global markets and takes time to remediate, alternative mitigation measures will be offered to customers. We will provide customers with adequate security measures as soon as possible and be as transparent as possible about the steps we take during the remediation process, including on issues or challenges that may delay resolution. We will communicate closely with the vulnerability reporter.

Publication

We are responsible for the appropriate disclosure of vulnerability information and extend the same responsibility to reporters. If TA Triumph-Adler PSIRT determines that the vulnerability information is critical to customers, like when there is a possibility of personal information leaks, we will publish security-related information (i.e., the advisory) on our security page of the TA Triumph-Adler (UK) Ltd company website . For any public release, please coordinate with TA Triumph-Adler PSIRT or Computer Emergency Response Team Coordination Center (CERT/CC) (in case you contact CERT/CC in your country). Note that we create the disclosure contents based on the coordination.

You must not:

  • Violate laws/regulations/standards enacted in respective countries/regions.
  • Share or re-distribute any data obtained through our products to third parties.
  • Submit the report by using a product obtained improperly through a malicious person.
  • Attempt to contact us utilizing vulnerable communication.
  • Report any vulnerabilities related to Denial of Services (DoS or DDoS).
  • Submit the report on products that are not brought in line with best practices.
  • Submit the report on TLS configuration weaknesses e.g., TLS1.0 support.
  • Use social engineering attacks.
  • Demand monetary compensation to disclose any vulnerabilities

You must:

  • Be compliant with all relevant laws/acts, standards, data protection, and privacy laws.
  • Securely delete all data used during your vulnerability investigation/analysis/research as soon as it is no longer required (*3)

(*3) Reference: Article 17 General Data Protection Regulation (GDPR) Right to erasure ('right to be forgotten')

TA Triumph-Adler UK does not claim any ownership rights to the information included in the reported Vulnerability Disclosure under this Policy, including, but not limited to, any data, text, material, program code, suggestion and recommendation received from the reporter (“Reported Vulnerability Information”).

By providing any Reported Vulnerability Information to UTAX (UK) Ltd, the reporter

  • grants us the following non-exclusive, irrevocable, perpetual, royalty-free, worldwide, sub-licensable license to the intellectual property in the Reported Vulnerability Information:
  • to use, review, assess, test, and otherwise analyse the Reported Vulnerability Information; and
  • to reproduce, modify, distribute, display and perform publicly, and commercialize and create derivative works of the Reported Vulnerability Information and all its content, in whole or in part, for the purpose of fixing the reported vulnerabilities, improving Products, and marketing, sale and promotion of such improved Products;
  • agrees to sign any documentation that may be required for us or our designees to confirm the rights the reporter granted above;
  • understands and acknowledges that we may have developed or commissioned materials similar or identical to the Reported Vulnerability Information, and the reporter waives any claims or rights it may have resulting from any similarities to the Reported Vulnerability Information;
  • understands and acknowledges that it is not guaranteed any compensation or credit for Reported Vulnerability Information; and
  • represents and warrants that it hasn’t included any of personal data in Reported Vulnerability Information, it hasn't used any information or intellectual property owned by a third party in violation of legal or contractual requirements, and that the reporter has the legal right to provide the Reported Vulnerability Information to us subject to this Policy.