PCI SSC Publishes New Security Requirements Version 3.0

PCI Security Standards Council (PCI SSC), a global, open industry standards body providing management of the Payment Card Industry Data Security Standard (PCI DSS), PIN Transaction Security (PTS) security requirements and the Payment Application Data Security Standard (PA-DSS), has published version 3.0 of the PIN Transaction Security (PTS) Point of Interaction (POI) security requirements.

The new version is designed to streamline and simplify testing and implementation by providing a single set of modular evaluation requirements for all Personal Identification Number (PIN) acceptance Point of Interaction terminals. It also includes three new modules for device vendors and their customers to secure sensitive card data. Version 3.0 is effective immediately, and version 2.0 will sunset on May 12th 2011.

Until now there were three separate sets of requirements for Point of Sale PIN Entry Devices (PED), Encrypting PIN Pads (EPP), and Unattended Payment Terminals (UPT). Version 3.0 simplifies the testing process and eliminates overlap of documentation by providing one modular security evaluation program for all terminals and a single reference listing of approved products.

In addition to strengthening and restructuring existing requirements, the latest version also introduces three new modules for evaluation requirements. The first, entitled, Open Protocols, applies to Internet Protocol (IP) or to wireless enabled devices. The Secure Reading and Exchange of Data (SRED) module facilitates testing of the secure reading and encryption of cardholder data at the point of entry, and the third module, Integration, is designed to address the integration of components in an unattended POS PIN acceptance device.

Bob Russo, general manager of the PCI SSC, said: “By combining all of the requirements into one program, we have simplified one-stop shopping when it comes to secure devices. This new approach and additional modules make it easier for manufacturers and merchants to make sure that at any point in a transaction, account data is being protected.”