Do you process, store or transmit credit card information? If yes, your company must adhere to PCI PED Security Requirements in order to maintain a secure environment and protect the cardholder.
Launched in 2006, standards continue to evolve to manage and improve payment account security throughout the transaction process. The standard is administered and managed by the PCI Security Standards Council (PCI SSC), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB).
As experts in the Electronic Payment arena, POSDATA continually keeps abreast of the security standards and changes that affect the setup and distribution of the transaction terminals along with issues that apply to our reseller partners and their clients. POSDATA posts this information here as we receive it. For more information or for help with all your electronic payment needs, contact our electronic payment experts. You may also be interested in our Key Injection Services and our article on End to End Encryption.
WHITE PAPERS
Point-to-Point Encryption—Solution Requirements and Testing Procedures
Encryption, Decryption, and Key Management within Secure Cryptographic Devices
This document, Point-to-Point Encryption: Solution Requirements—Encryption, Decryption, and Key Management within Secure Cryptographic Devices, defines requirements for Point-to-Point Encryption (P2PE) solutions, with the goal of reducing the scope of PCI DSS assessment for merchants using such solutions. Its intended audience is vendors, assessors, and solution providers that may develop products for, implement or evaluate P2PE solutions, as well as merchants who want to understand more about P2PE solutions and PCI DSS scope.
► Download white paper
The Principles of PCI Compliance
Take the time to understand and learn to apply the requirements for locking down payment card data. The standard consists of a detailed set of security requirements that describe methods for storing, processing and transmitting sensitive cardholder information.
► Download white paper
Card Payments Roadmap in the United States: How Will EMV Impact the Future Payments Infrastructure?
A Smart Card Alliance Payments Council White Paper
► Download white paper
PCI Accepting Mobile Payments with a Smartphone or Tablet
This white paper from the PCI Security Standards Council discusses the expanding payment capabilities of mobile devices and solutions for maintaining data security throughout the payment lifecycle.
► Download white paper
PCI Security Standards Council Provides Guidance to Merchants on Mobile Payment Acceptance Security
This white paper from the PCI Security Standards Council provides a customized fact sheet offering tips for leveraging PCI Standards to accept mobile payment securely.
► Download white paper
PCI PED Considerations for New Purchase Decisions
This white paper from Hypercom outlines the decisions retailers must make when selecting new technology so that they reduce the risk of compromise and extend the potential serviceable life of the product selected today.
► Download white paper
FAQ’S
VISA’s General PED Frequently Asked Questions
Requirements, how to implement, definitions and explanations.
► Find answers to your questions (PDF)
PCI Approval Status for POS PED Terminals (Article provided by MasterCard Worldwide)
Abstract: MasterCard provides a useful table showing when a terminal can be sold, how long it can be used in the field and when it must be removed. Covers the expiry of the Pre-PCI, (VISA PED) approval.
► Download this PDF
PRESS RELEASES & ANNOUNCEMENTS
RSPA Appointed to the PCI Security Standards Council Board of Advisors
May 21, 2013: The Retail Solutions Providers Association has been appointed to the 2013-2015 PCI Security Standards Council Board.
► See Announcement
VeriFone Perspectives on EMV in the United States (2012)
PCI Security Standards Council Releases Version 3.0 of PTS Security Requirements
On May 12, 2010, the PCI Security Standards Council (PCI SSC) announced the publishing of version 3.0 of the PIN Transaction Security (PTS) Point of Interaction (POI) security requirements. Version 3.0 streamlines and simplifies testing and implementation by providing a single set of modular evaluation requirements for all Personal Identification Number (PIN) acceptance Point of Interaction terminals.
► Visit PCI SCC website for the updated standard and detailed listing of approved devices.
► Download PCI SSC press release (PDF)
Industry News Flash from VeriFone: Pin Pad Tampering
Abstract: VeriFone assures that none of its VISA PED or PCI PED (Payment Card Industry PIN Entry Device) approved terminals were part of the recent tampering stories and that solutions such as the VeriFone MX800 Series meet all current PCI PED Security Requirements, including tamper prevention and detection. VeriFone explains the process of tampering, describes current industry security requirements to prevent tampering, describes payment terminal security, and outlines the steps needed to improve PIN pad security.
► Download PDF
► Visit VeriFone website
VISA also provides security information on their website.
INFORMATION
PCI PIN Security Requirements Updated (Jan 29, 2015)
New PCI PIN Security Requirements. Official January 2015 announcement
► Download PDF
EMV Migration Forum
Visit GoChipCard.com for resources on chip cards and their use.
► Visit website
SecureState PCI Audits
SecureState is POSDATA’s top choice and partner when it comes to PCI audits.
► Visit website
Pre-PCI Terminals Must Be Replaced By December 31, 2014
Hundreds of Thousands of payment terminals still in circulation will expire December 31, 2014. Read the PDF for a list of the expiring devices.
► Download PDF
Visa Bulletin – Encrypting PIN Pads Must Be Industry-Approved
Visa reminds clients that they are required to purchase and deploy only PCI-approved EPPs, which undergo rigorous testing to ensure the highest level of security for cardholder PINs.
► Download PDF
Visa Updates the Compromised PIN Entry Device Listing and Reminds Members of Upcoming Mandatory Sunset Dates
Compromised point of sale (POS) PIN entry devices (PEDs) have been used in tampering and skimming attacks to capture PIN and magnetic stripe card data. Visa members must take action to mitigate the risks introduced by these compromised POS PEDs. This bulletin provides a list of the known compromised POS PED makes and models and skimming prevention best practices.
► Download PDF
Migrating From a Single DES Key to a Triple DES Key in a Triple DES-Capable Terminal
MasterCard is providing guidance about how merchants and acquirers should migrate from a Single Data Encryption Standard (Single DES) key to a Triple DES key in a Triple DES capable point-of-interaction (POI) terminal.
► Download PDF
Retirement of Pre-PCI Attended POS PIN Entry Devices
VISA provides retirement planning tools for your pre-PCI attended POS PIN entry devices, including:
- A table listing the three device categories and their associated sunset dates
- PED retirement planning best practices
- Links to related documents
► Download PDF
Note: In this bulletin, Visa announced a mandatory sunset date of 31 December 2014 for all pre-PCI attended POS PEDs. However, a newer bulletin, Visa Updates Compromised PIN Entry Device Listing and Reminds Members of Upcoming Mandatory Sunset Dates, recommends that certain devices should be replaced as soon as possible to prevent tampering.
PIN Entry Device Program Information Update
Several initiatives to improve PIN security and transaction protection are approaching a key deadline in July 2010. These include the adoption of Triple-DES (TDES) encryption requirements and point-of-sale PIN entry device (POS PED) hardware certification. This security standards compliance update shows the progression of the requirements, discusses Triple DES, and summarizes the POS PED categories and applicable dates.
► Download PDF
POS PIN Entry Device Vulnerabilities
Compromised point-of-sale (POS) PIN-entry devices (PEDs) equipped with tapping mechanisms designed to capture PIN and card data have recently been found in the U.S. marketplace. Visa clients must take action to mitigate the risks introduced by these compromised POS PEDs.
► Download PDF
Differences Between PCI-PED 2.0 and 2.1
There are no functional differences or new requirements between PCI-PED 2.0 and 2.1, as shown in the table below.
► View current PCI 2.x security requirements (source of the table below).
|
DATE
|
VERSION
|
DESCRIPTION
|
|---|---|---|
|
9/2006
|
2.x
|
Draft published for comment
|
|
11/2006
|
2.x
|
Formatting changes
|
|
4/2007
|
2.x
|
A1, A7, A11, B1, B4, B11, B13, D1, D4
|
|
7/2007
|
2.0
|
PCI Security Standards Council adoption of PED requirements
|
|
1/2009
|
2.1
|
Clarifications and errata
|
Visa TDES Seminar Recap
In early September 2009, Visa held a webinar about TDES compliance and Visa best practices.
► Download webinar presentation Please pay particular note to pages 11-17.
PCI DSS Wireless Guidelines
This document provides the first highly specific, actionable wireless operational guide for complying with PCI DSS, including:
- Generally applicable wireless requirements: These are requirements that all organizations should have in place to protect their networks from attacks via rogue or unknown wireless access points (APs) and clients.
- Requirements applicable for in-scope wireless networks: These are requirements that all organizations that transmit payment card information over wireless technology should have in place to protect those systems.
PIN Pad Security Best Practices
Abstract: Due to repeated targeting of pre-PED PIN Pads and Payment Terminals, VeriFone has developed PIN Pad Security Best Practices. These best practices first, enable a retailer to determine if any existing terminals have been tampered with, and second, make tampering much more difficult by implementing a comprehensive set of security controls to prevent tampering and more quickly become aware if tampering has occurred.
► View PIN Pad Security Best Practices
Additional information can be found on VeriFone’s Retail Payment Security website.