Merchants that use credit card terminals that do not accept PIN transactions or use mobile card readers can have the devices tested for the use of advanced encryption for data protection, says the Payment Card Industry Security Standards Council.
The updates to the council’s PIN Transaction Security program provide for any card-acceptance device to be tested and approved for eligibility to use advanced encryption, also known as point-to-point encryption, or use of algorithms to scramble the text of card data into an unreadable format.
The updated requirements are directed toward manufacturers of terminals and card-readers to help them build a device so it may be validated, but current equipment can also be tested, a PCI executive says.
“Basically, we’ll be taking any piece of new hardware or existing hardware out there that (users) want to encrypt and be able to test it in our labs to assure it can accept encryption,” Bob Russo, general manager of the PCI Security Standards Council, tells ISO&Agent Weekly.
In addition, the requirements and testing now extend to the various methods of accessing credit card data through mobile devices, Russo says.
Merchants using magnetic-stripe readers or card-reader plug-ins will be able to ensure that those secure card readers have been tested and approved to encrypt data before it reaches a mobile phone or tablet (such as an iPad), thus reducing the scope of their PCI compliance, Russo adds.
The requirement updates resulted from feedback gathered at the recent PCI Security Standards Council community meeting in Arizona, where a key topic was the council’s newest advanced encryption requirements, Russo says.
The latest version of the Pin Transaction Security program builds on the Secure Reading and Exchange of Data module created to ensure secure encryption at the point where card data enters a payment terminal, a council press release stated.
Device-testing occurs at any of seven PCI labs located in Europe, Asia and North America. If a new device from a manufacturer fails the test, it likely could be remedied with a software fix, but if an older device fails, the merchant may have to consider adopting newer hardware if software cannot enable the upgrade, Russo says.
Any piece of hardware that a manufacturer or merchant wants to encrypt, or any card-reader piece added on to a device, such as Square Inc.’s Square Card Reader that attaches to a mobile phone, would be eligible for testing, Russo says.
The updated PIN Transaction Security program requirements and a list of approved
Version:1.0 StartHTML:0000000105 EndHTML:0000002756 StartFragment:0000002609 EndFragment:0000002720
devices are available on the PCI council’s website for merchants to review, Russo says.
