The PCI Security Standards Council announces the addition of two new payment industry device types to the PED program to strengthen cardholder data security. Unattended payment terminals (UPTs) and hardware security modules (HSMs) can now undergo a rigorous testing and approval program to ensure they comply with industry standards for securing sensitive payment card data during any point in the transaction process. The Council also will maintain the list of approved UPTs and HSMs, provide documentation and training for labs evaluating these devices and be a single source of information for device vendors and their customers.
The PED Security Requirements are designed to ensure the security of personal identification number (PIN)-based transactions globally and apply to devices that accept PIN entry. Until now, the requirements focused on traditional point-of-sale devices that operate in an environment that is attended by a merchant, cashier, or sales clerk. UPTs are unattended payment devices that include self-service ticketing machines, kiosks, automated fuel pumps and vending machines. Vendors have been manufacturing and having the encrypted PIN pads (EPPs) that go into UPTs evaluated by approved labs, and the payment card brands have been requiring the use of PCI SSC approved EPPs.
HSMs are secure cryptographic devices that can be used for PIN translation, card personalization, electronic commerce or data protection and do not include any type of cardholder interface. The addition of UPTs and HSMs into the PCI SSC security testing requirements enables the Council to provide testing laboratories with a streamlined evaluation process for achieving compliance of these cryptographic devices.
Manufacturers of UPTs and HSMs are encouraged to join the Council as a Participating Organization. Those that join will have the opportunity to review and provide feedback on the draft requirements and process for testing and certifying that UPT and HSM devices are safe and secure. The Council will issue a final set of requirements and documentation by the end of 2008.