PCI Council wants more robust security controls for payment devices

The PCI Council has updated its payment device standard to enable stronger protections for cardholder data, which includes the PIN and the cardholder data (on magnetic stripe or the chip of an EMV card) stored on the card or on a mobile device.

payment devices

Specifically, version 5.0 of the PCI PIN Transaction Security (PTS) Point-of-Interaction (POI) Modular Security Requirements emphasizes more robust security controls for payment devices to prevent physical tampering and the insertion of malware that can compromise card data during payment transactions.

The updates are designed to stay one step ahead of criminals who continue to develop new ways to steal credit and debit card data from cash machines, in-store and unattended terminals and mobile devices used for payment transactions. Payment devices that directly consume magnetic stripe information from customers remain a top target for data theft, according to the 2016 Data Breach Investigation Report from Verizon.

“Criminals constantly attempt to break security controls to find ways to exploit data. We continue to see innovative skimming devices and new attack methods that put cardholder data at risk for fraud,” said PCI Security Standards Council CTO Troy Leach. “Security must continue to evolve to defend against these threats. The newest PCI standard for payment devices recognizes this challenge by requiring protections against advancements in attack techniques.”

A summary of PCI PTS POI Modular Security Requirements version 5.0 updates are available here.

Vendors can begin using PCI PTS POI Modular Security Requirements version 5.0 now for payment device evaluations. Version 4.1 will retire in September 2017 for evaluations of new payment devices.

“With EMV chip the industry is improving protections against skimming and other attacks to reduce fraud,” added PCI Security Standards Council General Manager Stephen Orfei. “But no technology is bulletproof. In this ongoing battle against criminal attacks, we must continue to adapt the way we secure payments. With the latest PCI device standard, PCI is driving the evolution of global industry data security standards that protect payment transactions now and in the future.”