However, a few important points on why this does not translate directly into an end‑of‑life or unsupported risk in the same way as a general‑purpose Android 10 tablet or phone:

1. Payment terminal OS vs. consumer Android

• The A35 does not run a stock, consumer version of Android.

• It runs PayDroid / PAXBiz, which is a hardened, locked‑down payment OS:

• No Google Play Store or general app installation.

• Only whitelisted payment and support components are allowed (e.g. axept PRO, P2PE, supporting services).

• System settings and debug options are restricted and not available to end‑users.

• In practice, the device behaves as a closed, single‑purpose payment appliance, rather than a multi‑purpose Android endpoint.

2. PCI PTS v6 & P2PE security controls

• The A35 is certified to PCI PTS v6.x with SRED and EMV Level 1/2, contactless etc. (see A35 datasheet attached).

• The DNA in‑person payments stack (axept PRO + P2PE) on the A35 is also aligned with PCI / P2PE controls, and tracked internally 
  and summarised in our POI product overview also attached.

• These certifications impose:

• Strict requirements around OS hardening, key management and tamper response.

• Ongoing obligations on us and PAX to maintain firmware and security updates for the supported life of the device.

3. Controlled firmware and update lifecycle

• DNA Payments operate a defined firmware benchmark for PAX devices (including A35) as part of their PCI security governance.
  Example (for A35 / PayDroid 10 Cedar):
  (PayDroid_10.0_Cedar firmware versions).

• Every PCI‑PTS v6 terminal used by DNA Payments (including the A35) is on our “retained” strategic list with an explicit obligation to monitor firmware versions and deploy new ones across the estate:

As part of DNA Payments PCI DSS v4 governance, they also maintain an approved technology list and validate that technologies in use continue to receive security updates and are not end‑of‑life.

I believe the Cyber Essentials guidance around “obsolete” OS versions is aimed primarily at general‑purpose IT assets (laptops, desktops, mobiles, servers) that can browse the internet, run arbitrary software, and are administered like standard endpoints.

The A35, in contrast: Runs a vendor‑controlled, embedded Android fork (PayDroid 10) under PCI‑PTS and P2PE control. Is typically deployed on a segmented network for payment traffic only. Has no general user access to the OS, app store, or browser in the way a normal Android device would.