PCI PTS 3.0 updated – is consolidating requirements better?

The Payment Card Industry (PCI) Standards Council (https://www.pcisecuritystandards.org/index.shtml) has published the latest version of its security requirements for card-based transactions.  Updated standards have been published for Point of Sale (PoS) devices.

Directly from the PCI Security Council:

Until now there were three separate sets of requirements for Point of Sale PIN Entry Devices (PED), Encrypting PIN Pads (EPP), and Unattended Payment Terminals (UPT). Version 3.0 simplifies the testing process and eliminates overlap of documentation by providing one modular security evaluation program for all terminals and a single reference listing of approved products.

So instead of having three relatively similar sets of requirements, there is one overarching requirement….  Does that mean that we’ve played to the lowest common denominator?  I don’t think so.  Looking at the requirements it looks like there are strong requirements with secure reading and data exchange for devices.  While this doesn’t seem to be a huge stretch for PED (PIN Entry Devices) and UPT (Unattended Payment Devices) devices, it may be more than most are used to for EPP (Encrypting PIN Pads).

The real changes are centered around the new modules of evaluation criteria.

The first, entitled, Open Protocols, applies to Internet Protocol (IP) or to wireless enabled devices. The Secure Reading and Exchange of Data (SRED) module facilitates testing of the secure reading and encryption of cardholder data at the point of entry, and the third module, Integration, is designed to address the integration of components in an unattended POS PIN acceptance device.

The  Secure Reading and Exchanger of Data module seems to directly address the issues we saw come from the Heartland breech.  Encrypting from the endpoint can help to lessen the exposures that allowed the Heartland data to be stolen.

The Integration Module should provide a standard of how processors can attach to and interact with the device as well as the Open Protocol finally calling out some wireless standards.

This is targeted directly at devices that are built for payment cards, so it’s likely we’ll see similar additions/changes to the PCI DSS standard that is similar or supports these.


One thought on “PCI PTS 3.0 updated – is consolidating requirements better?

  1. Just want to say what a great blog you got here!
    I’ve been around for quite a lot of time, but finally decided to show my appreciation of your work!

    Thumbs up, and keep it going!



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s