PCI SSC publishes updates to standard for device security and point-to-point encryption standard

iStock_000020143408SmallThe PCI Security Standards Council (PCI SSC) has published updates to two of its eight security standards.

PIN Transaction Security Point of Interaction Modular Security Requirements

The PCI SSC has announced in a news release that a new version of the PIN Transaction Security (PTS) Point of Interaction (POI) Modular Security Requirements for POI device manufacturers has been published. The Standard ensures that businesses can accept credit cards securely and provide stronger protections to their customers.

Key changes include:

  • The addition of a new “Core Module” section that applies to all POI device types and addresses the configuration and maintenance procedures relevant to the security of POI devices.
  • The addition of testing requirements to reflect that PTS evaluation laboratories will begin validating vendor documentation of vendor policies and procedures for compliance with the device management security requirements. These pertain to device management during manufacture and up until initial key loading or deployment, where other PCI requirements such as PIN security and P2PE provide coverage.

PCI Point-to-Point Encryption Solution Requirements and Testing Procedures

The PCI SSC has also published an update to its PCI Point-to-Point Encryption Solution Requirements and Testing Procedures, simplifying the development and use of point-to-point encryption (P2PE) solutions that make payment card data unreadable and less valuable to criminals if stolen in a breach.

The news release accompanying the announcement states that version 2.0 of the standard “provides more flexibility to solution providers and to companies that provide P2PE components, services that fulfill specific P2PE requirements and can be integrated into P2PE solutions”.

Other major changes include:

  • The PCI SSC will now list validated P2PE components, making it easier for a solution provider to create a solution for their merchant customers.
  • Merchants acting as solution providers can implement and manage their own P2PE solutions for their own point-of-sale (POS) locations.

The news release states that with P2PE v2, “merchants have even more options for reducing risk and protecting customer data using encryption. They can manage their own P2PE solutions for their point-of-sale locations, securely separating duties, systems, and functions between merchant encryption (in their retail locations) and decryption environments; or, they can work with a solution provider that will manage a PCI P2PE solution to meet their business needs”.

PCI Data Security Standard

As of 1 July, the current version of PCI Data Security Standard (PCI DSS) is v3.1, meaning that all PCI DSS validations after this date must be to PCI DSS v3.1.

When PCI DSS v3.0 was published in late 2013, Requirements 6.5.10, 8.5.1, 9.9, 11.3 and 12.9 were noted as “best practices” until 30 June 2015. All of these “best practices” are now requirements as of 1 July 2015.

Help with PCI DSS compliance

We advise organisations that need to comply with the PCI DSS to work with their PCI DSS consultancy provider to ensure they have fulfilled the PCI DSS v3.1 requirements.

As a PCI Qualified Security Assessor (QSA), IT Governance can help your organisation achieve and maintain compliance with the PCI DSS. Click here for more information on our PCI consultancy service.

Alternatively, email servicecentre@itgovernance.co.uk or call us on 0845 070 1750 to discuss your requirements.