The Green Sheet Online Edition
June 14, 2010 • Issue 10:06:01
PCI SSC unveils new PTS requirements
The PCI Security Standards Council (PCI SSC) recently published version 3.0 of the PIN Transaction Security (PTS) Point of Interaction (POI) security requirements. The new PTS - the end result of a three-year review of the previous version of the standard - is a set of protocols for POS terminal manufacturers to follow when designing PIN entry devices (PEDs) and incorporating them into POS systems.
According to Bob Russo, General Manager of the PCI SSC, releasing PTS v3.0 now is particularly important given that fraudsters are "picking up point of sale devices from stores and walking out the door with them. It's sort of a hotspot. We want to make sure that some of these devices, or all of these devices, certainly are not storing data that they shouldn't be."
The council said that, up until now, there were three separate sets of requirements, one each for POS PEDs, encrypting PIN pads and unattended payment terminals. Version 3.0 of the PTS combines those three requirements into one and provides a single listing of approved products for POS terminal manufacturers to reference when putting together secure systems.
Three additions to PTS
Additionally, Russo said PTS v3.0 incorporates three new modules: the Secure Reading and Exchange of Data (SRED) module, an integration module, and an open protocol module. SRED is a first attempt by the PCI SSC to address end-to-end (E2E) encryption without promoting any one type of E2E technology, Russo said.
He added that SRED is not a mandatory requirement; it provides guidance as to encryption best practices for POS terminal vendors to follow.
The integration module is designed to ensure that disparate devices all conform to the Payment Card Industry (PCI) Data Security Standard (DSS) and related security standards.
Russo gave the example of a gas pump, which comprises many devices. The PIN pad, card reader, touch screen display, receipt printer and even the box that houses the different devices all have to be certified PCI compliant. "There has to be a secure methodology for integrating all of these things," Russo said. Finally, the open protocol module addresses wireless devices equipped with radio frequency identification technology.
Overall, the goal of the new PTS is to help POS vendors design systems that keep cardholder data secure. It's easier for vendors "because there's one place to go to get all of these things certified," Russo said. "And it's easier for the labs because now they have a methodology to certify each [POS terminal component]."
Merchants have not been forgotten either. In its effort to further the education of merchants in data security, the PCI SSC upgraded its website to include a detailed listing of approved devices linked to pictures of each device so merchants can easily discern if their POS devices are PCI certified, Russo said.
PTS v3.0 is the first of three new standards to be released. The PCI SSC will publish the new Payment Application DSS and PCI DSS later this year.
The requirements of version 2.0 of the PTS are still in effect, with a sunset date of May 12, 2011. To learn more about the new PTS standard, go to www.pcisecuritystandards.org/security_standards/ped/index.shtml. The council also conducted a webinar on PTS v3.0. It can be accessed at www.pcisecuritystandards.org/education/webinars.shtml.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.