LOUISVILLE,
KY – The PCI Security Standards Council (PCI SSC)
has released the published version 4.0 of the PIN Transaction Security Point of
Interaction (PTS POI) requirements, ATM Marketplace reports.
The standards, when used
with hardware security module requirements, enhance security for accepting and
processing payment cards.
Key
changes in version 4.0 include:
- Restructured open protocols module — helps ensure that POI
devices do not have communication vulnerabilities;
- Enhanced interface testing and logical security
requirements — ensures that no interface can be abused or used as an
attack vector;
- Added source code reviews — enhances the robustness of
the testing process; and
- Introduction of a vendor-provided security policy — facilitates
implementation of an approved POI device in a manner consistent with the
POI requirements.
"With
3.1 we introduced changes that would help facilitate the use of point-to-point
encryption technology and open platforms, such as mobile phones, to accept
payments," said Troy Leach, chief technology officer at PCI Security
Standards Council. "Version 4.0 continues to build on this by addressing
all interfaces that potentially grant access to data or resources in POI
devices, in addition to the critical communications channels, such as RFID,
wireless, cellular (e.g., GPRS, CDMA) and Bluetooth."
For
now, vendors have the option of testing against version 3.1 or version 4.0.
Beginning in May 2014, version 3.0 will no longer be available for new
evaluations.