GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Canadian payments revolution - eh!

Adam Atlas
Attorney at Law


Industry Update

HR 5546 is in the House

Shopit starts Revolution

Agreement keeps Frontier flying

PCI SSC adds new payment device types

New webinars target PCI education

Gas stations nixing plastic

Approaching a crossroads

Patti Murphy
The Takoma Group


Brewer taps payments market

Brewer taps payments market

Payments in the Great White North


Approaching a crossroads

Patti Murphy
The Takoma Group


Street SmartsSM:
Passing the so-what test

Jason Felts
Advanced Merchant Services

Communication matters

Vicki M. Daughdrill
Small Business Resources LLC

How sellers blow deals

Lane Gordon

Canada goes to chip, fraudsters move south: Are you ready?

Deana Sellens
Take Charge Business Consulting LLC

Web sites that work

Nancy Drexler
SignaPay Ltd

Dial is yesterday's paper

Dale S. Laszig
DSL Direct LLC

Company Profile

RDM Corp.

Smart Circle International

New Products

Destroy the data, recycle the rest

Company: Digital Data Destruction Services Inc.


Take new trip in downturn



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

July 28, 2008  •  Issue 08:07:02

previous next

PCI SSC adds new payment device types

As part of its continuing effort to strengthen cardholder data security, the Payment Card Industry (PCI) Security Standards Council (SSC) added two new payments industry device types to its PCI PIN Entry Device program.

Unattended payment terminals (UPTs) - such as self-service vending machines, kiosks and automated fuel pumps - and hardware security modules (HSMs) can now undergo the testing and approval program to ensure they comply with industry standards for securing sensitive data at all points in the transaction process.The inclusion of UPTs and HSMs in the PCI PED security requirements reflects an expansion in the ways consumers make payments at the POS.

Simplified and streamlined

The PCI council provides vendors with one authority to consult for testing and certification and allows merchants access to a broad repository of information on approved devices.

"You can't expect a merchant who is looking for a payment application for a POS device to do research and ring vendors to find out if they've gone through an appropriate certification process," said Tim Cranny, Chief Executive Officer of Panoptic Security Inc., a PCI compliance solutions provider. "One of the big elements of the PCI's addition of these devices is to simplify and streamline the process." Merchants can visit the council's Web site to access documents containing the requirements and evaluation procedures necessary to validate compliance, a list of devices that meet compliance criteria, and the steps for submitting a device and obtaining approval.

Manufacturers are responsible for submitting their devices to council-approved labs for evaluation and approval. Thus, when merchants and other stakeholders are looking for solutions, they can choose from PCI-approved products that meet a defined set of minimum security requirements.

Safe and secure

"PIN entry devices go well beyond the typical POS terminals we are all familiar with, and we are continually expanding into more areas," said Bob Russo, General Manager, PCI SSC. "Any device that processes personal identification numbers is an important link in the transaction chain. "By including both UPTs and HSMs in the PED security requirements, the council is reaffirming its commitment to developing additional standards to meet the needs of the industry and to ensure continued safety and security for consumers." HSMs are used in support of acquiring and issuing activities, including:

"One of the problems with the Internet is that it's not too difficult to eavesdrop on communications," Cranny said. "So basically HSM is a closed box cryptographic device that ensures the confidentiality and the integrity of those communications. What [PCI] is doing here with the introduction of these standards is just establishing what constitutes a good crypto setup for these communications."

Welcoming and beneficial

The PCI SSC encourages UPT and HSM manufacturers to join the council as participating organizations. "Since you're bringing [UPTs and HSMs] under PCI, you actually want these manufacturers involved in the process, because the real benefit of being on the council is being engaged in the process and being able to constructively shape the conversation and the development of standards," Cranny said. He likens the new parameters for UPT and HSM compliance to an automobile maker's obligation to make cars "road-worthy." For more information, visit, or e-mail the PCI council at

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios