The new requirements are in the latest version of the council's PIN Transaction (PTS) Security Requirements and are designed to bolster security on retail point-of-sale card readers and unattended kiosks and payment terminals, such as those found at airports and gas stations.
Version 3.0 of the
PCI council's
PTS includes three new modules for device vendors and their customers to secure sensitive card data. One of the modules contains requirements pertaining to the secure reading and exchange of data on payment card devices. The requirements would enable the secure reading and encryption of sensitive cardholder data at the point where a credit or debit card is swiped.
A second module spells out the security standards that device vendors will be expected to follow while integrating all of the different components that make up an unattended point-of-sale device that accepts PIN-debit card transactions. The third module, called Open Protocols, contains a set of new requirements relating to wireless-enabled payment card devices.
The new version of PTS also consolidates what used to be three separate sets of requirements for point-of-sale devices, PIN entry devices, unattended payment terminals and for encrypting PIN pads. The consolidation is supposed to make it easier for device vendors to implement the requirements and eliminates some of the overlap from having three separate sets of requirements, said Bob Russo, general manager of the PCI Security Standards Council.
The council's PTS standard provides payment device vendors with a set of guidelines for ensuring the security of cardholder data on payment devices. Version 2.0 of the standard will be retired in 2011, by which time vendors will be expected to start implementing the requirements contained in Version 3.0.
The council was set up by Visa, MasterCard, American Express and other credit card companies and is responsible for developing security standards for the payment card industry. Each credit card company, however, is responsible for setting implementation deadlines and enforcing compliance with the requirements.
The PTS standards apply only to payment card devices. The council has a similar but separate set of standards for merchants and payment processors and one for developers of payment applications. The council is set to announce new versions of both those standards later this year.
The updated PTS standards come amid growing concerns about the security of payment card devices.
"Point of sale terminals are currently the security hot spot these days" in the payment industry," Russo said. There's increasing concern about fraud and data theft resulting from the use of illegal card-skimmers attached to payment card devices and from the theft and modification of such devices, he said.