The purpose of this post is to highlight vendors with a list of all the security requirements against which their POS device setup will be evaluated in order to obtain Payment Card Industry (PCI) PIN Transaction Security (PTS) Point of Interaction (POI) device approval.
The requirements highlighted here are the minimum acceptable criteria for (PCI) acceptance. The PCI has defined these requirements using a risk-reduction methodology that identifies the entire set major risked associated with credit card data transactions requirements when measured against acceptable costs to design and manufacture POI solution.
Therefore these requirements do stem from a compromise between risks and costs and do not eliminate the possibility of fraud, but rather reduce its likelihood and minimize the scope of the credit card theft resulting from credit card fraud.
This domain constitutes its physical and its logical location. The domain is the logical location that hosts the device and support the communication platform allowing POS devices to communicate transaction data across a network must support certain attributes that will protect from malicious hacking activities from perpetrating the fire wall and data access over a networked environment.
The physical security
The physical security characteristics are those characteristics that provide the deterrent for physical attack on the device, for example, the physical location of the device to determine its key(s) or other security measures that are intended to protect the data from anyone unauthorized able to manipulate the POS terminal and or access to the servers or any component making up the logical domain where reconfiguration could compromise the devise or the security with communication or data security that make up the parts POI solution.
The logical security
The logical security characteristics include those characteristics that define the functional capabilities that limit access to the transaction information, so the devise can allow user to gain access to sensitive credit card data allowing any information required for card fraud to be possible. For example, allowing the device to output a clear text PIN encryption key would compromise this card security making the decryption possible so PIN could be extracted from a credit card compromising its PIN security.
Many of the logical security requirements have minimum attack valuation and require good common sense and a good understanding of network security for the identification and initial exploitation of the device based upon factors such as attack time, and expertise and equipment required. Given the evolution of attack techniques and technology, the Associations will periodically review ensuring that these measures are appropriate.
Device management considers how the device is produced, controlled, transported, stored and used throughout its life cycle within the organization. If the device is not properly managed, unauthorized modifications might be made to its physical or logical security characteristics making the information required to allow the devise to be compromised and the information contained within by a perpetrator .