The PCI Security Standards Council, a global, open industry standards body providing management of the Payment Card Industry Data Security Standard (DSS), PCI PIN Entry Device (PED) Security Requirements and the Payment Application Data Security Standard (PA-DSS), today announces the addition of two new payment industry device types to the PED program to strengthen cardholder data security.
Unattended payment terminals (UPTs) and hardware (also known as host) security modules (HSMs) can now undergo a rigorous testing and approval program to ensure they comply with industry standards for securing sensitive payment card data during any point in the transaction process. The Council also will maintain the list of approved UPTs and HSMs, provide documentation and training for labs evaluating these devices and be a single source of information for device vendors and their customers.
The PED Security Requirements are designed to ensure the security of personal identification number (PIN)-based transactions globally and apply to devices that accept PIN entry. Until now, the requirements focused on traditional point-of-sale devices that operate in an environment that is attended by a merchant, cashier, or sales clerk. UPTs are unattended payment devices that include self-service ticketing machines, kiosks, automated fuel pumps and vending machines. Vendors have been manufacturing and having the encrypting PIN pads (EPPs) that go into UPTs evaluated by approved labs, and the payment card brands have been requiring the use of PCI SSC approved EPPs. Having new and overarching UPT testing requirements will further protect the payment card industry participants.
HSMs are secure cryptographic devices that can be used for PIN translation, card personalization, electronic commerce or data protection and do not include any type of cardholder interface. The addition of UPTs and HSMs into the PCI SSC security testing requirements enables the Council to provide testing laboratories with a streamlined evaluation process for achieving compliance of these cryptographic devices.
"PIN entry devices go well beyond the typical POS terminals we are all familiar with and we are continually expanding into more and more areas," said Bob Russo, general manager, PCI Security Standards Council. "Any device that processes personal identification numbers is an important link in the transaction chain. By including both UPTs and HSMs in the PED Security Requirements, the Council is re-affirming its commitment to developing additional standards to meet the needs of the industry and to ensure continued safety and security for consumers."
In addition to the founding card brands, the Council is made up of a variety of payment industry organizations that have the opportunity to contribute to the Council's ongoing development and enhancement of the PCI standards. Manufacturers of UPTs and HSMs are encouraged to join the Council as a Participating Organization. Those that join will have the opportunity to review and provide feedback on the draft requirements and process for testing and certifying that UPT and HSM devices are safe and secure. The Council will issue a final set of requirements and documentation by the end of 2008.