Changes to the standard for PIN Transaction Security
Today the PCI Security Standards Council (PCI SSC) published version 4.0 of the PIN Transaction Security (PTS) Point of Interaction (POI) requirements. These requirements, along with the Hardware Security Module (HSM) requirements provide standards for device manufacturers to ensure merchants and others have secure devices for accepting and processing payment cards.
Point of Interaction (POI) devices, such as PIN entry devices, continue to be a primary method for accepting and processing credit payment cards and a target for criminal attack. As part of its ongoing standards development process, the PCI Council makes updates based on industry needs and changing threats, to ensure the strongest technical standards for payment security.
Changes introduced in version 4.0 of the PTS POI requirements focus on increasing the robustness of the devices through enhanced testing procedures and streamlining the evaluation and reporting processes for both device vendors and testing labs.
The PTS POI requirements are updated on a three-year cycle, based on feedback from the PCI community. The development process also allows for minor update releases as needed – in October 2011, for example, the Council issued version 3.1 to support deployment of point-to-point encryption (P2PE) and mobile technologies. The new version builds on these updates to underscore the requirements’ applicability to traditional POI deployments – including Point-of-Sale devices, unattended kiosks, mobile dongles – and many other types of devices.
Key changes include:
Restructured Open Protocols Module – helps ensure POI devices do not have communication vulnerabilities that can be remotely exploited to gain access to sensitive data or resources within the device.
Enhanced interface testing and logical security requirements – by requiring more stringent documentation and assessment of all interfaces of the device, will help ensure that no interface can be abused or used as an attack vector.
Added source code reviews – additional mandatory source code reviews enhance the robustness of the testing process.
Introduction of a vendor provided security policy – provides guidance that will facilitate implementation of an approved POI device in a manner consistent with the POI requirements, including information on key management responsibilities, administrative responsibilities, device functionality, identification, and environmental requirements.
Vendors now have the option of testing against version 3.1 or version 4.0. Beginning in May 2014 version 3.0 will no longer be available for new evaluations, but may still be used for delta evaluations.