Dealing with the Payment Card Industry Data Security Standard (PCI DSS) is now part of the overall compliance strategy for most organizations that process, transmit or store cardholder data. Since 2007, the PCI Security Standards Council (PCI SSC) has actively promoted PA-DDS, which applies to organizations that commercialize payment applications used by third-party merchants. But it's only been in the last few months that the PCI SSC has been talking a lot about PIN transaction security, or PTS, and its accompanying requirements. So what is the relationship between these three standards?
PCI DSS exists to protect cardholder data processed, stored or transmitted by merchants. PA-DSS is a set of requirements aimed at ensuring that payment processing applications, such as those used by payment service providers and banks, are secure and do not put cardholder data at risk.
PTS and PCI PIN security requirements, however, are more concerned with the physical and logical security of the point-of-sale devices or terminals, whether they be attended, i.e. manned by merchants, or unattended (UPT), i.e. parking payment automated machines.
Recently, attackers have begun focusing on POS hardware and software, as there seem to be a number of old, unmanaged devices on the market. These devices do not offer encryption technology, often automatically print out full PANs on receipts and are not configured to clear information in memory on a regular basis. As such, these devices end up holding information that can be easily retrieved should attackers manage to either physically access or logically access the devices.
As PIN pad devices, POS devices and UPTs have been identified as new attack vectors, PCI PTS requirements focus on protecting them. These requirements mandate that measures be taken to see that IT-based attacks on these devices are detectable and fully auditable, which includes requirements for clearing memory and upgrading systems on a regular basis. It is up to merchants to ensure that they use devices that meet PTS requirements (a list of PCI-compliant PTS devices can be found on the PCI SSC website).
In the past, security requirements for each type of device were covered separately. As of May 2010, however, the PCI SSC announced that version 3.0 of the PTS requirements (.pdf) "restructures the existing security requirements, simplifying the evaluation process by combining the three separate sets of Point of Interaction (POI) PIN acceptance product-type evaluation requirements into one, covering attended and unattended PIN entry devices along with encrypting PIN pad (EPP) requirements."
Essentially, the guidance advises organisations to look after the physical security of devices first, and then focus on logical security. In practice it means that all devices must be physically secured so they can't be stolen or replaced by bogus similar devices. It also puts emphasis on the fact that merchants need to ensure that they take advantage of new security settings and modules, which starts by using the latest devices with the latest firmware and software. PTS requirements and their EPP, SRED and open protocols guidance are simple security best practices with a major focus on devices used to process cardholder data.
It is also worth noting that PTS requirements now include more detailed guidance on the secure use of "open" protocols, if the PIN devices are Internet-, Wi-Fi- or GPRS-enabled. Additionally, integration modules ensure that the use of devices such as smart card readers, as well as existing components such as EPPs, do not affect the security of the end product.
PCI SSC sees those changes to its PTS requirements as a way of simplifying compliance and addressing the subject of end-to-end encryption for cardholder data security. There is also a PTS FAQ (.pdf) document on the PCI SSC website. All you need to do now is comply!
For more information:
- Learn more about PCI DSS requirements for log management.
- Protect credit card data over the phone and pass PCI DSS with this expert advice.
Return to the PCI learning guide.
This was first published in July 2010