Merchants who use credit card terminals that do not accept PIN transactions or incorporate mobile card readers at their businesses can have those devices tested for the use of advanced encryption for data protection, the Payment Card Industry Security Standards Council announced Oct. 14.
The updates to the council’s PIN Transaction Security program enable any card-acceptance device to be tested and approved for eligibility to use advanced encryption, also known as point-to-point encryption, or use of algorithms to scramble the text of card data into an unreadable format.
The updated requirements are directed at manufacturers of terminals and card-readers to help them build a device so it may be validated, but current equipment can also be tested, a PCI executive says.
“Basically, we’ll be taking any piece of new hardware or existing hardware out there that (users) want to encrypt and be able to test it in our labs to assure it can accept encryption,” Bob Russo, general manager of the PCI Security Standards Council, tells PaymentsSource.
In addition, the requirements and testing now extend to the various methods of accessing credit card data through mobile devices, Russo says.
Merchants using magnetic-stripe readers or card-reader plug-ins will be able to ensure that these types of secure card readers have been tested and approved to encrypt data before it reaches a mobile phone or tablet (such as an iPad), thus reducing the scope of their PCI compliance, Russo adds.
The requirement updates resulted from feedback gathered at the recent PCI Security Standards Council community meeting in Arizona, where a key topic was the council’s newest advanced encryption requirements, Russo says (
The latest version of the Pin Transaction Security program builds on the Secure Reading and Exchange of Data module created to ensure secure encryption at the point where card data enters a payment terminal, a council press release stated.
Device-testing occurs at any of seven PCI labs located in Europe, Asia and North America. If a new device from a manufacturer fails the test, it likely could be remedied with a software fix, but an older device that fails may require the merchant to consider adopting newer hardware if software cannot enable the upgrade, Russo explains.
Any piece of hardware that a manufacturer or merchant wants to encrypt, or any card-reader piece added on to a device, such as Square Inc.’s Square Card Reader that attaches to a mobile phone, would be eligible for testing, Russo says.
The updated PIN Transaction Security program requirements and a list of approved devices are available on the PCI council’s website for merchants to review, Russo says.
What do you think about this? Send us your feedback.
