The Payment Card Industry Standards Council has added unattended payment
terminals and hardware-security modules to its testing program for PINentry
devices, the council announced last week.
PCI-approved labs already evaluate many unattended devices as well as those
attended by cashiers or sales clerks. But now PCI-approved laboratories will test
unattended terminals and hardware-security modules according to security
criteria designed specifically for those devices.
And the council will post lists of approved devices and provide related
training and documentation to testing labs, merchants and vendors.
Unattended payment terminals include automated fuel pumps, vending machines,
and self-service kiosks that accept credit and debit cards.
Merchant acquirers use cryptographic hardware security, or "host," modules, to
translate PINs, personalize cards, protect data and conduct electronic commerce.
Unattended payment terminals, particularly older models, are vulnerable to
data-security attacks, says Gartner Group analyst Avivah Litan. "A lot of gas
pump [terminals] are using very old technology that's subject to PIN attacks,"
says Litan, referring to methods thieves use to capture cardholder PINs from
PIN-entry devices.
However, changing unattended terminals on fuel pumps can prove difficult
because upgrades often require replacing entire pumps, not just the terminals,
Litan notes.
