CHAPTER 13: PIN TRANSACTION SECURITY (PTS)

The PCI SSC also has compliance requirements for PIN entry (PIN pad and point-of-sale) devices that are used in conjunction with payment cards in environments attended by a cashier, merchant or sales clerk, or those that are unattended, such as garage forecourts. There is a testing and approval guide,¹ together with detailed vendor guidance on how to gain approval. All of this information is available at www.pcisecuritystandards.org/security_standards/documents.php?association=PTS.

The PIN Security Requirements contains a complete set of requirements for the secure management, processing and transmission of personal identification number (PIN) data during online and offline payment card transaction processing at ATMs, and attended and unattended point-of-sale (POS) terminals.

The PIN Transaction Security programme includes unattended payment terminals (UPTs) and hardware security modules (HSMs), so that these devices can be rigorously tested to ensure they secure cardholder data in a payment process. UPTs include self-service ticketing machines, kiosks, automated fuel pumps and vending machines. HSMs are secure cryptographic devices that can be used for PIN translation, card personalisation, electronic commerce or data protection and do not include any type of cardholder interface. The PCI SSC maintains a list of approved UPTs and HSMs.

¹ www.pcisecuritystandards.org/documents/PTS_Program_Guide_v1-3_Sept2013.pdf