Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

PTS

PCI Security Standards Council invites payments community to input on PIN Transaction Security

The  PCI Security Standards Council (PCI SSC), has announced the launch of a 30-day period to solicit feedback from PCI Participating Organizations on the next version of the  PCI Hardware Security Module (HSM) security requirements.

Hardware security modules (HSM) are non-cardholder facing devices used in connection with the protection of sensitive data, such as cardholder data (e.g. PINs), and the cryptographic keys that protect or authenticate that information.  For example, HSMs are used with PIN translation, payment card personalization, data protection and e-commerce. Requirements for testing and approving these devices fall under the PCI PIN Transaction Security (PTS) program that also tests and validates Point of Interaction (POI) devices to ensure they comply with industry standards for securing sensitive data.

The PCI SSC has made a number of modifications to version 1.0 aimed at providing greater alignment between the PCI Hardware Security Module (HSM) security requirements  and those introduced with version 3 of the PTS Point of Interaction (POI) security requirements.

The Council requests input from Participating Organizations on these changes. All feedback will be reviewed and considered in finalizing the revised requirements for publication in the  spring.  Organizations should submit feedback using the online tool here by March 09, 2012.

 “Because the Council is comprised of organizations ranging from merchants to acquirers to processors we have a unique opportunity to create standards based on feedback from across the payments spectrum. We rely heavily on active participation by our members. This industry feedback and expertise is critical to our mission and our business,” said Bob Russo, general manager, PCI Security Standards Council. “I would like to encourage each organization to take the time to provide us with input during this period.”

.

PCI Security Standards Council adds PCI PIN Security requirements to PTS standard

The PCI Security Standards Council (PCI SSC)  has announced that the Council is expanding the PTS standards to encompass the PCI PIN Security Requirements, formerly administered by Visa and MasterCard, to provide organizations with one set of criteria for the protection of PIN data.

After officially taking over management of the requirements earlier this year, the PCI SSC solicited feedback from the PCI community to make updates to the standard. Today’s release contains a complete set of reqirements for the secure management, processing and transmission of personal identification number (PIN) data at ATMs, and attended and unattended point-of-sale (POS) terminals. The PIN Security Requirements will be included in current PTS security requirements.

The updated PTS program requirements and detailed listing of approved devices are available on the Council’s website here.

“Point of sale continues to be a security hotspot as criminals are using more advanced techniques to steal PIN and cardholder data,” said Bob Russo, general manager of the PCI Security Standards Council. The requirements are specifically geared toward protecting not just the devices that accept PINs but also the people and processes surrounding them.”

The PCI PIN Security Requirements provide one set of criteria for protection of Primary Identification Number (PIN) data. For merchants – examples of common vulnerabilities for PIN theft that the requirements address include:

  • PINs that are not protected by a secure PIN block
  • Failure to use approved cryptographic devices for PIN processing
  • Cryptographic keys that are non-random, not unique, and never change
  • Few, if any documented PIN-protection procedures
  • Audit trails or logs that are not maintained

“With this addition to the PTS requirements, we hope to strengthen POS security at merchants around the globe,” noted Russo.

The Council will also host a Webinar for Participating Organizations and the public outlining the newest updates to the PIN Transaction Security program, including the PIN Security Requirements, followed by a live Q&A session.

Register for the November 8 session here.

Register for the November 10 session here

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: