Crossbow Labs

Crossbow Labs Logo

QSA Chronicles – PCI-PTS vs PCI-DSS

It all goes really well when the assessment begins with the Issuing Section. You never seem to lose interest watching the Maticas churning away the fresh new cards, so much so that I take a moment to quietly awe at how these card printers control a considerable chunk of the world economics. You return back to the hotel thinking the day was good to begin with.

Then comes the best part of the project. The acquiring saections usually love to speak about the ATM and POS machines. If you have been in the audit you will know the evil twins of the PCI-DSS Standard, the PCI-PTS and PCI-PIN family of standards begin their play.

PCI-PTS : Hey, are these ATM’s and POS terminals owned by the bank.

QSA : Uh!! Yeah. We know where this is going.

PCI-PTS : Ok. So are the EPP on these devices PCI-PTS certified.

Acquiring Team : Where does the PCI-DSS state that the devices should be PCI-PTS certified.

QSA : Welcome to the world.

As a QSA you do know that the whole purpose of the PCI-DSS is defunct if the Electronic PIN Pads (EPP) are not certified as PCI-PTS compliant. Oh! and then there are the EMV L1 and L2 certifications, if you are acquiring EMV cards.

This spate of doubt comes during all the PCI-DSS assessments where you would know that the security architecture, the PCI-DSS is trying to build will not be met if the devices themselves are not secure. The biggest question is –

“How soon should a bank accredit all its ATM’s and POS terminals, PCI-PTS compliant.”

Guided by the book, there is no requirement for your POI (Point Of Interaction) devices, to be PCI-PTS certified if you are looking to implement only PCI-DSS. However in popular lingo it is good to have the PCI-PTS as well. Now this is compliance.

If you however, need security, you might want to begin the PCI-PTS compliance of all devices which are in use. You could adopt a phased approach to update all the devices on a continuous basis. As an acquiring bank you would have to instruct your POS and ATM vendors to have their devices certified. Yes this will not have an impact on the PCI-DSS certification process. Merchants also need to ensure that the acquirers issue devices which are PCI-PTS compliant.

Key pointers during upgrade of POI devices

  • Ensure that all the new POS terminals procured newly are PCI-PTS compliant
  • Reassign your POS terminals to the merchants based on their risk exposures and past records
  • Assess the EPP stratum on all the ATM devices and the POS terminals.
  • Sensitize the local teams administering these devices for identifying the physical anomalies

PCI-PTS will help in ensuring the removal of all the SAD you might find in residual logs and debug traces in your banking applications. It compliments your PCI-DSS implementation in a very candid way. In my opinion these standards compliment each other in all aspects and it will only be wise to implement both. Like we always harp, security transcends compliance.