Changes to the standard for PIN Transaction Security
Posted on 07 June 2013.
Today the PCI Security Standards Council (PCI SSC) published version 4.0 of the PIN Transaction Security (PTS) Point of Interaction (POI) requirements. These requirements, along with the Hardware Security Module (HSM) requirements provide standards for device manufacturers to ensure merchants and others have secure devices for accepting and processing payment cards.

Point of Interaction (POI) devices, such as PIN entry devices, continue to be a primary method for accepting and processing credit payment cards and a target for criminal attack. As part of its ongoing standards development process, the PCI Council makes updates based on industry needs and changing threats, to ensure the strongest technical standards for payment security.

Changes introduced in version 4.0 of the PTS POI requirements focus on increasing the robustness of the devices through enhanced testing procedures and streamlining the evaluation and reporting processes for both device vendors and testing labs.

The PTS POI requirements are updated on a three-year cycle, based on feedback from the PCI community. The development process also allows for minor update releases as needed – in October 2011, for example, the Council issued version 3.1 to support deployment of point-to-point encryption (P2PE) and mobile technologies. The new version builds on these updates to underscore the requirements’ applicability to traditional POI deployments – including Point-of-Sale devices, unattended kiosks, mobile dongles – and many other types of devices.

Key changes include:

Restructured Open Protocols Module – helps ensure POI devices do not have communication vulnerabilities that can be remotely exploited to gain access to sensitive data or resources within the device.

Enhanced interface testing and logical security requirements – by requiring more stringent documentation and assessment of all interfaces of the device, will help ensure that no interface can be abused or used as an attack vector.

Added source code reviews – additional mandatory source code reviews enhance the robustness of the testing process.

Introduction of a vendor provided security policy – provides guidance that will facilitate implementation of an approved POI device in a manner consistent with the POI requirements, including information on key management responsibilities, administrative responsibilities, device functionality, identification, and environmental requirements.

Vendors now have the option of testing against version 3.1 or version 4.0. Beginning in May 2014 version 3.0 will no longer be available for new evaluations, but may still be used for delta evaluations.





Spotlight

How to talk infosec with kids

Posted on 17 September 2014.  |  It's never too early to talk infosec with kids: you simply need the right story. In fact, as cyber professionals it’s our duty to teach ALL the kids in our life about technology. If we are to make an impact, we must remember that children needed to be taught about technology on their terms.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Sep 19th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //