Changes aimed to support a range of environments, technologies, and methodologies for achieving security
WAKEFIELD, Mass., 16 June 2020 — The PCI Security Standards Council has updated the standard for payment devices to enable stronger protections for cardholder data. The PCI PIN Transaction Security (PTS) Point-of-Interaction (POI) Modular Security Requirements v6.0 enhances security controls to defend against physical tampering and the insertion of malware that can compromise card data during payment transactions. Updates are designed to meet the accelerating changes of payment device technology, while providing protections against criminals who continue to develop new ways to steal payment card data.
“Payment technology is advancing at a rapid pace,” says Emma Sutcliffe, SVP, Standards Officer at PCI SSC. “The changes to this standard will facilitate design flexibility for payment devices while advancing the standard to help mitigate the evolving threat environment.”
Established to protect PINs (Personal Identification Numbers) and the cardholder data stored on the card (on magnetic stripe or the chip of an EMV card) or used in conjunction with a mobile device, PTS POI Version 6.0 reorganizes the requirements and introduces changes that include:
- Restructuring modules into Physical and Logical, Integration, Communications and Interfaces, and Life Cycle to reflect the diversity of devices supported under the standard and the application of requirements based upon their individual characteristics and functionalities.
- Limiting firmware approval timeframes to three years to help ensure ongoing protection against evolving vulnerabilities.
- Requiring devices that accept EMV enabled cards to support Elliptic Curve Cryptography (ECC) to help facilitate the EMV migration to a more robust level of cryptography.
- Enhancing support for the acceptance of magnetic stripe cards in mobile payments using solutions that follow the Software-Based PIN Entry on COTS (SPoC) Standard.
“Feedback from our global stakeholders, along with changes in payments, technology and security is driving the changes to this standard,” said Troy Leach, SVP at PCI SSC. “It’s with participation from the payments industry that the Council is able to produce standards that are relevant and enhance global payment card security.”
The following documents related to the PTS POI v6.0 Standard can be found at in the PCI SSC document library:
- PCI PTS POI Summary of Changes from v5.1 to v6.0
- PCI PTS POI Modular Derived Test Requirements
- PCI PTS Device Testing and Approval Program Guide
- PCI PTS POI Technical FAQs
Vendors can begin using PCI PTS POI Modular Security Requirements v6.0 now for payment device evaluations. Version 5.1 will retire in June 2021 for evaluations of new payment devices.
A list of PCI approved PTS devices tested against the PCI PTS POI Modular Security Requirements is available on the PCI Council website for businesses to choose equipment that is verified to protect their customers’ cardholder information in accordance with PCI Standards.
About the PCI Security Standards Council
The PCI Security Standards Council (PCI SSC) leads a global, cross-industry effort to increase payment security by providing industry-driven, flexible and effective data security standards and programs that help businesses detect, mitigate and prevent cyberattacks and breaches. Connect with the PCI SSC on LinkedIn. Join the conversation on Twitter @PCISSC. Subscribe to the PCI Perspectives Blog.