PCI Security Council updates requirements for payment card devices

Rules would bolster security on retail point-of-sale and unattended payment terminals.

The council that administers the Payment Card Industry Data Security Standard today released new requirements that vendors of payment card devices will be expected to incorporate into their products going forward.

The new requirements are in the latest version of the council's PIN Transaction Security (PTS) requirements and are designed to bolster security on retail point-of-sale card readers and unattended kiosks and payment terminals, such as those found at airports and gas stations.

Version 3.0 of the PCI council's PTS includes three new modules for device vendors and their customers to secure sensitive card data. One of the modules contains requirements pertaining to the secure reading and exchange of data on payment card devices. The requirements would enable the secure reading and encryption of sensitive cardholder data at the point where a credit or debit card is swiped.

A second module spells out the security standards that device vendors will be expected to follow while integrating all of the different components that make up an unattended point-of-sale device that accepts PIN-based debit card transactions. The third module, called Open Protocols, contains a set of new requirements related to wireless-enabled payment card devices.

The new version of PTS also consolidates what used to be three separate sets of requirements for point-of-sale PIN entry devices, unattended payment terminals and encrypting PIN pads. The consolidation is supposed to make it easier for device vendors to implement the requirements and eliminates some of the overlap from having three separate sets of requirements, said Bob Russo, general manager of the PCI Security Standards Council.

The council's PTS standard provides payment device vendors with a set of guidelines for ensuring the security of cardholder data on payment devices. Version 2.0 of the standard will be retired in 2011, by which time vendors will be expected to start implementing the requirements contained in Version 3.0.

The council was set up by Visa, MasterCard, American Express and other credit card companies and is responsible for developing security standards for the payment card industry. Each credit card company, however, is responsible for setting implementation deadlines and enforcing compliance with the requirements.

The PTS standards apply only to payment card devices. The council has a similar but separate set of standards for merchants and payment processors and one for developers of payment applications. The council is set to announce new versions of both those standards later this year.

The updated PTS standards come amid growing concerns about the security of payment card devices.

"Point-of-sale terminals are currently the security hot spot these days" in the payment industry, Russo said. There's increasing concern about fraud and data theft resulting from the use of illegal card skimmers attached to payment card devices and from the theft and modification of such devices, he said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

Copyright © 2010 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon