GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

Transportation payments in transition

News

Industry Update

Financial reform bill passes Senate, interchange targeted

Why won't Apple take cash for iPads?

PCI SSC unveils new PTS requirements

Trade Association News

Selling Prepaid

Prepaid in brief

Prepaid's role in monetizing social media

A new benefits option for Floridians

Views

The drive to innovate

Scott Henry
VeriFone Inc.

Canada: An untapped marketplace

Jeffrey Shavitz
Charge Card Systems Inc.

Education

Street SmartsSM:
What does a merchant get for a PCI fee? - Part 1

Ken Musante
Eureka Payments LLC

The art of cross-marketing: How to maximize existing client relationships and boost sales

Peggy Bekavac Olson
Strategic Marketing

Consult your way to success

Tom Hennigan
Retail Cloud

Digging into PCI - Part 12: Maintain a policy that addresses information security for employees and contractors

Tim Cranny
Panoptic Security Inc.

A primer on accountability

Jeff Fortney
Clearent LLC

How to use technology to redefine today's economy

Daniel Burrus
Burrus Research Associates Inc.

Company Profile

NETSURION (formerly Vendor Safe Technologies)

New Products

Skimming alert system

VeriFone PED Authentication Service
Verifone Inc.

End-to-end bulwark

E3 Secure
Heartland Payment Systems Inc.

Inspiration

Change - it never changes

Departments

Forum

Resource Guide

Datebook

A Bigger Thing

The Green Sheet Online Edition

June 14, 2010  •  Issue 10:06:01

previous next

PCI SSC unveils new PTS requirements

The PCI Security Standards Council (PCI SSC) recently published version 3.0 of the PIN Transaction Security (PTS) Point of Interaction (POI) security requirements. The new PTS - the end result of a three-year review of the previous version of the standard - is a set of protocols for POS terminal manufacturers to follow when designing PIN entry devices (PEDs) and incorporating them into POS systems.

According to Bob Russo, General Manager of the PCI SSC, releasing PTS v3.0 now is particularly important given that fraudsters are "picking up point of sale devices from stores and walking out the door with them. It's sort of a hotspot. We want to make sure that some of these devices, or all of these devices, certainly are not storing data that they shouldn't be."

The council said that, up until now, there were three separate sets of requirements, one each for POS PEDs, encrypting PIN pads and unattended payment terminals. Version 3.0 of the PTS combines those three requirements into one and provides a single listing of approved products for POS terminal manufacturers to reference when putting together secure systems.

Three additions to PTS

Additionally, Russo said PTS v3.0 incorporates three new modules: the Secure Reading and Exchange of Data (SRED) module, an integration module, and an open protocol module. SRED is a first attempt by the PCI SSC to address end-to-end (E2E) encryption without promoting any one type of E2E technology, Russo said.

He added that SRED is not a mandatory requirement; it provides guidance as to encryption best practices for POS terminal vendors to follow.

The integration module is designed to ensure that disparate devices all conform to the Payment Card Industry (PCI) Data Security Standard (DSS) and related security standards.

Russo gave the example of a gas pump, which comprises many devices. The PIN pad, card reader, touch screen display, receipt printer and even the box that houses the different devices all have to be certified PCI compliant. "There has to be a secure methodology for integrating all of these things," Russo said. Finally, the open protocol module addresses wireless devices equipped with radio frequency identification technology.

Overall, the goal of the new PTS is to help POS vendors design systems that keep cardholder data secure. It's easier for vendors "because there's one place to go to get all of these things certified," Russo said. "And it's easier for the labs because now they have a methodology to certify each [POS terminal component]."

Enhanced website

Merchants have not been forgotten either. In its effort to further the education of merchants in data security, the PCI SSC upgraded its website to include a detailed listing of approved devices linked to pictures of each device so merchants can easily discern if their POS devices are PCI certified, Russo said.

PTS v3.0 is the first of three new standards to be released. The PCI SSC will publish the new Payment Application DSS and PCI DSS later this year.

The requirements of version 2.0 of the PTS are still in effect, with a sunset date of May 12, 2011. To learn more about the new PTS standard, go to www.pcisecuritystandards.org/security_standards/ped/index.shtml. The council also conducted a webinar on PTS v3.0. It can be accessed at www.pcisecuritystandards.org/education/webinars.shtml.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Super G Capital LLC | Humboldt Merchant Services | Impact Paysystems | Electronic Merchant Systems