Update feeds need for more PTS guidance

The Payment Card Industry Security Standards Council (PCI SSC) updated the standard that mandates security requirements for PIN entry devices to incorporate devices that do not offer PIN entry. The PIN Transaction Security (PTS) Data Security Standard (DSS) was expanded to include guidance for determining whether non-PIN accepting devices meet the requirements of point-to-point encryption (P2PE) – the technology many security experts believe is the most secure way to protect personal information and other card transaction data.

The update to the PTS DSS, a companion to the overarching Payment Card Industry DSS, provides guidelines for the testing of any card acceptance device to determine if it can be used with P2PE technology. The PCI SSC said that, until now, the PTS DSS applied to PIN acceptance devices only. But with the release of version 3.1 of the PTS DSS, any device used for the acceptance of electronic payments can now be tested for its compatibility with P2PE technology.

Guidance for SCRs

Additionally, the new version of PTS DSS addresses secure card readers (SCRs) – devices that encrypt card data at the point of swipe, such as mag-stripe reading "sleeves" and dongles that fit on smart phones to transform them into payment acceptance devices. "Merchants looking to use magnetic stripe readers (MSRs) or MSR plug-ins now can ensure these devices have been tested and approved to encrypt data on the reader before it reaches the device," the PCI SSC said.

The council hopes the release of the update will promote the use of open payment platforms, exemplified by smart phone payment systems. PCI SSC General Manager Bob Russo said, "We know how eager the market is to implement P2PE. By releasing these updated requirements now, merchants using any type of card acceptance device will have the ability to encrypt data at the point of interaction and ensure its protection. Additionally, we've opened the standard up to address mobile devices – another area of great interest to our stakeholders."

New features

Version 3.0 of PTS DSS was released in April 2010. The October 2011 update, v3.1, can be accessed at www.pcisecuritystandards.org/documents/PCI_PTS_POI_SRs_v3_1.pdf and includes these new features:

• A single evaluation process that addresses all point-of-interaction (POI) devices and models, including PIN pads, dedicated POS devices, vending machines, kiosks and other payment devices
• Guidance for the evaluation and integration of components (divided into two groups: device integration requirements and POI device core requirements)
• A new set of requirements and evaluation modules for open protocols (helping with the interface of POI terminals to open networks) and the secure reading and exchange of data (helping to support secure encryption of data collected in a terminal)
• Inclusion of non-PIN acceptance devices and secure card readers in POI evaluation categories
• An approved PTS device list

The PCI SSC will host two free webinars outlining PTS DSS v3.1, followed by live Q&As. The webinars will be held Nov. 8 and Nov. 10, 2011.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.