PCI Streamlines PIN Transaction Security Requirements

The PCI Security Standards Council today released a new streamlined version of its requirements for PIN transaction device vendors, rolling into one its specifications for POS PIN entry devices, encrypting PIN pads, and unattended payment terminals.

PTS Version 3.0 also adds modules for testing the secure reading and encryption of cardholder data, called Secure Reading and Exchange of Data (SRED); another called Open Protocols, which includes wireless; and one for the integration of components in point-of-sale PIN devices.

"This is a particularly timely topic because point-of-sale [devices] are the hot spot these days. There are breaches out there all the time," says Bob Russo, general manager for the PCI Standards Council, such as "people boldly walking into stores" and adding skimming devices to card readers in the checkout without being noticed. The goal is to simplify the security requirements process for payment equipment vendors and to provide merchants a simpler way to see a listing of PCI-compliant devices, he says.

But that won't necessarily stop criminals from outfitting these devices with skimmers, Russo notes. "Just because you buy a device that's PCI-compliant doesn't necessarily mean someone can't put a skimming [device] on it. You're always going to be on the lookout for skimming issues," he says, pointing to PCI's document about how to detect a skimming scam.

Meanwhile, the council is in the process of finishing the next version of the PCI Data Security Standards (DSS) for merchants that handle payment card data. The new PCI DSS, which is the first update to the standard in two years, is planned for release in late October.

Although the document is still in the works, Russo says it will provide "guidance" on end-to-end encryption of cardholder data as tokenization technology and chip-and-pin cards. "There is no one silver bullet out there," he says. "We're lining up these three [technologies] to make sure you're getting good guidance," but no changes to the actual standard for these, he says.

Phil Cox, principal consultant with System Experts and a member of both the PCI virtualization special interest group and the scoping SIG, says to look for PCI to become more proactive. "PCI [traditionally] has been very reactive," Cox says. "The whole PCI life cycle and movement is going from reactive to trying to be more proactive."

But that won't be easy given PCI's long window of two years between updates, notes Joshua Corman, research director for the enterprise security practice at The 451 Group. Corman says the PCI Council recently indicated it might shift to a three-year release cycle: "One of the core problems with PCI is the rate of change for technology and threats is so much greater than the rate of change for the standards to adapt," he says.

Look for virtualization to be added to the new PCI DSS, System Experts' Cox says. The virtualization SIG has been debating whether to consider each virtual machine as its own system, he says. "The biggest question is, can you mix card data in one VM and have one that's not on the same physical hardware?" he says. "If you have a hypervisor, you have to consider each virtual machine on the server as a system."

Cox says the SIG is looking at having some specific architectures "approved" so that merchants can safely use virtualization in payment environments. "One of the things we worry about is one VM attacking the hypervisor to get to another [VM]," he says.

Many of the questions about virtualization in a PCI environment should be "hammered out" in October, Cox says. "People are using it [today], but it's really left up to their interpretation...It's kind of a roll of the dice right now."

Encryption and tokenization also will be addressed in some form in the next PCI DSS, Cox says. But don't look for cloud computing among different companies to be addressed in the next version. "The multitenant issue of virtualization is going to take a little longer to address [in PCI,]" he says.

Meantime, the PCI Standards Council's Russo says the SRED technology -- a secure method of reading data once it has been entered into a POS device -- isn't a mandatory feature in the new PTS release. "But this is a very good [and] first step toward end-to-end encryption," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.