PCI SSC Releases New Standard to Secure Devices
A new update to PCI requirements is designed to keep pace with the evolving financial threat environment.
The organization that manages the security of credit cards and helps defend against data security breaches has updated its standard for device security, something that should result in cardholder data being better protected.
The PCI Security Standards Council – PCI SSC - a group originally formed by credit card companies American Express, JCB International, Discover, MasterCard, and Visa to develop the Payment Card Industry Data Security Standard - this week rolled out a new version of the PCI PIN Transaction Security Point-of-Interaction Modular Security Requirements.
While a mouthful - it's often just referred to as the PCI PIN PTS POI approval framework – the framework is a set of requirements for both online and offline PIN entry devices and secure card readers that protect PINs and cardholder data and limit the likeliness of fraud.
The latest version of the framework - Version 6.0 (.PDF) - is designed to prevent tampering and the insertion of malware designed to compromise credit card data during transactions.
The latest version, the first since version 5.1, contains 27 changes in total.
Some of the fixes include:
- Restructuring modules into Physical and Logical, Integration, Communications and Interfaces, and Life Cycle to reflect the diversity of devices supported under the standard and the application of requirements based upon their individual characteristics and functionalities.
- Limiting firmware approval timeframes to three years to help ensure ongoing protection against evolving vulnerabilities.
- Requiring devices that accept EMV enabled cards to support Elliptic Curve Cryptography (ECC) to help facilitate the EMV migration to a more robust level of cryptography.
- Enhancing support for the acceptance of magnetic stripe cards in mobile payments using solutions that follow the Software-Based PIN Entry on COTS (SPoC) Standard.
Vendors can start using the requirements now - a list of PCI approved PTS devices can be found here – but have another year until the previous version, 5.1, will be retired.
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business