PCI Security Standards Council adds two new devices to PED program

The PED Security Requirements are designed to ensure the security of PIN-based transactions globally and apply to devices that accept PIN entry. Until now, the requirements focused on traditional point-of-sale devices that operate in an environment that is attended by a merchant, cashier or sales clerk. UPTs are unattended payment devices that include self-service ticketing machines, kiosks, automated fuel pumps and vending machines. Vendors have been manufacturing and having the encrypting PIN pads (EPPs) that go into UPTs evaluated by approved labs, and the payment card brands have been requiring the use of PCI SSC approved EPPs. Having new and overarching UPT testing requirements will further protect the payment card industry participants.

 

HSMs are secure cryptographic devices that can be used for PIN translation, card personalization, electronic commerce or data protection and do not include any type of cardholder interface. The addition of UPTs and HSMs into the PCI SSC security testing requirements enables the Council to provide testing laboratories with a streamlined evaluation process for achieving compliance of these cryptographic devices. "PIN entry devices go well beyond the typical POS terminals we are all familiar with and we are continually expanding into more and more areas," said Bob Russo, general manager of the PCI Security Standards Council. "Any device that processes personal identification numbers is an important link in the transaction chain. By including both UPTs and HSMs in the PED Security Requirements, the Council is reaffirming its commitment to developing additional standards to meet the needs of the industry and to ensure continued safety and security for consumers."