The Payment Card Industry (PCI) Standards Council (https://www.pcisecuritystandards.org/index.shtml) has published the latest version of its security requirements for card-based transactions. Updated standards have been published for Point of Sale (PoS) devices.
Directly from the PCI Security Council:
Until now there were three separate sets of requirements for Point of Sale PIN Entry Devices (PED), Encrypting PIN Pads (EPP), and Unattended Payment Terminals (UPT). Version 3.0 simplifies the testing process and eliminates overlap of documentation by providing one modular security evaluation program for all terminals and a single reference listing of approved products.
So instead of having three relatively similar sets of requirements, there is one overarching requirement…. Does that mean that we’ve played to the lowest common denominator? I don’t think so. Looking at the requirements it looks like there are strong requirements with secure reading and data exchange for devices. While this doesn’t seem to be a huge stretch for PED (PIN Entry Devices) and UPT (Unattended Payment Devices) devices, it may be more than most are used to for EPP (Encrypting PIN Pads).
The real changes are centered around the new modules of evaluation criteria.
The first, entitled, Open Protocols, applies to Internet Protocol (IP) or to wireless enabled devices. The Secure Reading and Exchange of Data (SRED) module facilitates testing of the secure reading and encryption of cardholder data at the point of entry, and the third module, Integration, is designed to address the integration of components in an unattended POS PIN acceptance device.
The Secure Reading and Exchanger of Data module seems to directly address the issues we saw come from the Heartland breech. Encrypting from the endpoint can help to lessen the exposures that allowed the Heartland data to be stolen.
The Integration Module should provide a standard of how processors can attach to and interact with the device as well as the Open Protocol finally calling out some wireless standards.
This is targeted directly at devices that are built for payment cards, so it’s likely we’ll see similar additions/changes to the PCI DSS standard that is similar or supports these.