PTS (PIN Transaction Security) devices are hardware Point of Interaction (POI) devices that are certified by the Payment Card Industry Security Standards Council (PCI-SSC) as meeting the requirements necessary to safeguard sensitive cardholder data, including the PIN and PIN data. The PCI-SSC has put forth these specific technical and operational requirements that apply to POI devices. The use of PTS devices can aid a merchant in validation compliance with the Payment Card Industry Data Security Standard (PCI-DSS). The PCI-DSS is a set of requirements that detail the minimum policies, procedures and accompanying security features that must be in place within a validating entity’s cardholder data environment (CDE). The goal of the PCI-DSS is to protect credit card account data from being compromised by bad actors and later used for fraudulent transactions. PCI-DSS requirements apply to all entities that store, process or transmit cardholder data.
The PCI-SSC defines a PTS POI device as follows:
"A device that provides for the entry of PINs, used for the purchase of goods or services or dispensing of cash. An approved POI has met all of the applicable PCI PTS POI requirements for online and/or offline PIN entry, and has a clearly defined physical and logical boundary for all functions related to PIN entry."
Developers of payment solutions and independent software vendors may leverage certified PTS devices to provide security for end users of the solutions. It is important that these entities and merchants understand the regulations around the use of a PTS POI device including the expiry date and validation method. PTS devices are certified at PCI Recognized Laboratories which validate compliance to the PCI PTS requirements and provide this data to the PCI-SSC for listing. A list of PTS certified devices can be found here. Validating entities should work directly with their acquiring bank in order to determine which PTS devices are approved for use. In certain cases, the credit card payment brands may also require the use of a PTS approved device. Failure to follow these requirements or use of a non-approved device increases the chances of a credit card data breach, and can lead to significant fines and assessments. A breach event is not only expensive but can lead to loss of reputation and customer trust.
Use this guide to learn the requirements regarding expiry dates for PTS POI device approvals.
What are expired PTS POI devices?
The PCI-SSC keeps two separate lists of PTS POI devices. One list keeps track of PTS devices with expiry dates in the future, and a separate list for PTS devices whose expiry date has passed. There are currently 483 PTS devices who were validated under PTS programs whose expiry dates have passed. These solutions would have to be reevaluated under the current standard in order to be listed as approved PTS devices.
The validation expiry dates are grouped as follows:
- Effective April 30, 2014
- Version 1 EPP
- Version 1 PED
- Effective April 30, 2017
- Version 1 UPT
- Version 2 EPP
- Version 2 PED
- Effective April 30, 2019
- Version 1 HSM devices
The PCI-DSS lists validated PTS devices with expired approvals along with the corresponding expiry date for reference.
What are the differences between PTS POI devices?
There are different types of PTS POI devices and validations that represent specific authorization methods to protect cardholder data and meet PCI-DSS requirements. These are listed under the Approval Class column in the PCI-SSC listing.
There are several types of Approval Classes which we will explore below.
Encrypting PIN Pad (EPP)
This technology uses strong encryption to protect data entered through a PIN Pad (including PIN data). This designates the solution as an embeddable device typically embedded into a consumer operated terminal. These devices are typically embedded within an ATM, kiosk, vending machine, or fuel pump solution.
PIN Entry Device (PED)
PIN Entry Devices (PEDs) accept PIN Entry and have the ability to process the PIN and send it to a host system. PEDs can be found in attended or unattended environments. PEDs must have an integrated display dedicated exclusively to PIN entry.
The primary purpose of devices with PIN-entry and PIN-processing ability, either attended or unattended, is to capture and convey the PIN to an ICC reader and/or to another processing device, such as a host system. A PED must have an integrated display unless dedicated to PIN entry only.
The PED standard has two distinct facets:
- Device characteristics: These attributes define the PED’s physical and logical characteristics. Focuses on the functional aspect of the device.
- Device management: Defines how the PED is to be produced, controlled, transported, stored, and used throughout its lifecycle. Chain of custody prior to delivery to the end user along with management of the device while in use can avoid unauthorized modifications to PTS POI devices.
Unattended Payment Terminal (UPT)
Unattended payment terminals (UPTs) are POS POI devices that allow initiation and processing of a transaction by a customer without assistance from the merchant. UPTs are complete terminals that merchants are able to use “as-is/off-the-shelf” to handle PIN-related transactions.
Common examples include automatic fuel dispensers, kiosks, car parking terminals, and ticketing/vending. EPP devices are integrated directly into the UPT devices to provide encryption at the PIN PA. UPTs are also required to integrate an OEM card reader, which is a self-contained secure chip reader or hybrid card reader.
Hardware Security Module (HSM)
A Hardware Security Module (HSM) is a device that protects digital keys/data and is used for PIN processing as well as cryptographic-key management.
The HSM must meet strict physical and logical security standards. Physical requirements include the following:
- Tamper detection and response
- Protection of sensitive data stored within the device
- Protection of cryptographic keys
- Resilience to changing operating conditions
Logical requirements include the following:
- Secure cryptographic key management
- Secure audit trail
- Strong authentication policy
- Resilience against unexpected commands and command sequences
- Resilience against abnormal operating modes
- Strong firmware management
Who requires guidance on approved PTS POI device expiration?
The use of approved PTS POI devices and understanding expiry dates is important for many stakeholders involved in credit card processing. These devices may be used by merchants, processors, financial institutions, payment card producers, third party services providers and independent software vendors. Merchants and end-users of these devices rely on these devices to provide security and trust that when sensitive data is entered it will not be exposed. Hackers and cyber criminals are actively looking to compromise this sensitive data for use in fraudulent transactions.
What are PCI-approved PTS POI devices?
PCI-approved PTS POI (PIN Transaction Security - Point of Interaction) devices are those devices that have received certification through a PCI-approved testing lab. The PCI Council urges the usage of approved PTS POI devices to assist in maintaining PCI compliance and protecting sensitive data. Merchants should work directly with their acquiring bank to determine requirements around the use of an approved PTS POI device. In addition to the list of approved devices that have not expired (linked above), the PCI-SSC also provides the legal conditions and restrictions regarding PCI PTS approval.
The Payment Card Industry Security Standards Council (PCI-SSC) sets forth many requirements necessary to safeguard sensitive cardholder data. Independent software vendors and their merchants should ensure they’re aware of approved PTS POI device expiry dates in order to maintain PCI compliance and meet the latest security standards. Contact us today to learn more about PCI compliance.