Another Layer of Security for Cardholder Data

Protecting cardholder data continues to top the list of concerns faced and voiced by all types of businesses that accept credit and debit card payments. So we’re not surprised that the PCI Security Standards Council (PCI SSC) which leads a global, cross-industry effort to increase payment security through a variety of standards and programs has updated its standard for payment devices in a move to enable stronger protections for cardholder data.

The update comes in the form of another iteration of the PCI PIN Transaction Security (PTS) Point-of-Interaction (POI) Modular Security Requirements. Known as PCI PIN Transaction Security (PTS) Point-of-Interaction (POI) Modular Security Requirements v6.0 (PTS POI Version 6.0), the new version enhances security controls to defend against two growing threats to cardholder data integrity. These threats include physical tampering with point-of-sale devices and the insertion of malware that can compromise data during payment transactions.

According to the PCI SSC, PTS POI Version 6.0 was established specifically with these objectives in mind:

• Protecting cardholders’ personal identification numbers (PINs).
• Safeguarding cardholder data stored in the magnetic stripe on magnetic stripe cards and on the chip embedded into chip-enabled cards.
• Safeguarding cardholder data used in conjunction with a mobile device.

Reorganized requirements found in PTS POI Version 6.0, and changes to it, include:

• A new limit for firmware approval. In keeping with the revised standard, the approval timeframe for firmware is now three years. The short time window was implemented to ensure ongoing protection against evolving firmware solutions vulnerabilities.
• Restructured modules. Under the umbrella of PTS POI Version 6, modules have been restructured into different categories: physical and logical, integration, communications and interfaces, and lifecycle. This change was made to reflect the diversity of payment devices supported under the standard and the individual characteristics and functionalities of these devices.
• Cryptography support requirements. The standard now calls for devices that accept EMV-enabled cards to support Elliptic Curve Cryptography (ECC). ECC allows for a more sophisticated way to encrypt data (in other words, convert it into code, making it unreadable by the human eye and useless to criminal elements).
• Enhanced support for secure mobile payments made with magnetic stripe cards. The revised standard calls for this support to occur using solutions that follow the Software-Based PIN Entry on COTS (SPoC) Standard.

Solutions vendors can already begin using the PCI PTS POI Modular Security Requirements Version 6.0 as they evaluate payment devices. Version 5.1 will be retired in June of 2021; vendors will no longer be able to use it in their evaluations after this time.  A list of PCI-approved PTS devices tested against the PCI PTS POI Modular Security Requirements is available on the PCI Council website. Businesses can use the list to choose verified equipment that is verified as having passed the test, in turn ensuring that their customers’ cardholder information is protected in accordance with PCI Standards.

E-Complish supports upholding any data security standards set by the PCI SSC. We work diligently to ensure that our own payment solutions remain in compliance with the Payment Card Industry Data Security Standard (PCI DSS) and to assist our customers with their own compliance endeavors.