The PCI Security Standards Council on Wednesday released updated guidelines governing PIN-entry devices that incorporate all the rules into a single set of requirements. Previously, there were three separate sets of requirements for point-of-sale PIN entry devices (PED), encrypting PIN pads (EPP), and unattended payment terminals (UPT).
Version 3.0 of the PTS (Payment Transaction Security) Requirements simplifies the testing process and eliminates overlapping of documentation by providing one modular security evaluation program for all terminals, says Bob Russo, general manager of the council. It also provides a single reference listing of approved products, including photos.
“Now you don’t have to go through three different things—get an encrypted PIN pad under one kind of standard and get the rest of these things done under a different standard,” Russo says. “They’re all the same standard now. It makes it easier for the laboratories to test all these things and assess them. It also makes it easier for the vendor who’s creating these modules to go out and get them certified.”
In addition, the new version introduces three new modules for evaluation requirements: Open Protocols, which applies to Internet Protocol or wireless-enabled devices; Secure Reading and Exchange of Data (SRED), which tests secure reading and encryption of cardholder data at the point of entry; and Integration, which addresses the integration of components in an unattended POS PIN acceptance device.
The SRED module provides the methodology for allowing terminals to encrypt data as a card is swiped, Russo says, adding that the module is not mandatory but is a “really good first step” toward end-to-end encryption.
The Integration module addresses the data security issues posed by unattended payment terminals such as kiosks and gas pumps. “These things have lots and lots of moving parts,” Russo says, including encrypted PIN pads, printers, and data entry screens. “We’re looking at each one of these components individually, certifying them as PCI -compliant and then an integrator can take these things and build any kind of terminal they’d like.”
The Open Protocols module incorporates all protocols that already exist for wireless, including RFID. “We’ve made it easier for manufacturers because it’s all in one (module) now,” Russo says.
The updated standard and detailed listing of approved devices are available on the PCI Council’s web site. The council will also hold Webinars discussing the new security requirements in detail on May 18 and May 19. Information and registration are available on the council’s Web site.
The Wakefield, Mass.-based PCI Council is responsible for overseeing and upgrading the PCI standards for securing card data, though the five major international card networks enforce them. The main standard gets upgraded every two years, with version 1.2 in effect from October 2008 until the next official release this October.
Changes to the standards basically will fall into three categories, including how PCI DSS works with new technology, such as end-to-end encryption and tokenization. Although the updated PCI standards won’t set specific requirements for these emerging technologies, it will give examples of how using end-to-end encryption or tokenization might satisfy portions of the PCI standard, Russo says.
“If you’re using this technology and it’s doing these certain things, then you may already be compliant with this requirement or that requirement,” he says. “We don’t think there’s a silver bullet out there where you’d buy one product and not have to do anything.”
The council also will issue clarifications of many existing requirements, Russo says. “This is probably the bulk of what we’re looking at,” he says. “‘What does this mean—you’re saying do this on a regular basis—what does a regular basis mean—is it 30 days, every 90 days?’”
Remaining changes in the standard will deal with guidance, “’what do I check for? What are the controls I need to have in place?’” Russo says.
The council will be releasing summaries of clarifications and guidance, and possibly changes in the standards, throughout the summer, Russo says. Proposed changes to the standard also will be discussed at meetings in Orlando, Fla., and Barcelona, Spain, in September and October.