Ready to achieve PCI PTS POI 7.0 evaluation ?
The PCI Security Standard Council has recently released a major update of their PTS Security requirements, version 7.0.
Payment terminal vendors must submit their products to the appropriate security evaluation to guarantee that it meets the level of security required to protect sensitive cardholder data and other transaction data.
Let’s share our experts tips to optimize your preparation to a successful evaluation of your product with PCI PTS POI standard.
Optimize the scope of evaluation
Clearly define the scope of your evaluation, according to the components of your device. The modular approach of the PCI PTS evaluation process take into account the diversity of terminal integrations, configurations, security architecture, giving more flexibility to vendors to evaluate the security mechanisms embedded in their payment solutions.
Study PCI PTS Documentation
To better align the security mechanisms embedded into your payment terminal with the expectations of PCI standard, carefully study the documents related to POI Security Requirements. They provide a clear understanding of the core modules and primary objectives of all the security measures to be implemented to effectively protect sensitive data.
The POI Security Requirements is the standard document, serving as a reference to build your security architecture and mechanisms according to your device configuration. It shall be sent to the laboratory and must provide detailed information about hardware and software components, PIN support, PIN encryption method, and other functions present in the reader.
The Derived Testing Security Requirements describes how security tests shall be performed during evaluation. It also provides guidance on how to integrate properly the security measures expected for each requirement. This document must be read at the earliest stage of your product development.
Make sure to also take into account the technical updated FAQs to ensure a full compliance before applying to official testing sessions at an accredited laboratory.
Align with PCI PTS Modules
The security requirements are divided into 4 domains or modules, covering different parts of the overall terminal security mechanisms. According to the type and functionalities of the device, the vendor will focus on the appropriate modules to optimize the certification process.
- Physical and logical security : define the core digital and physical requirements of PIN acceptance device
- POS terminal integration : Ensure that the integration of previously approved components does not weaken the overall security
- Communications and interfaces : check that the connection with public network does not open security weaknesses and populate vulnerabilities in the device itself
- Life cycle security : Establish a chain of trust during the design and the development stage up to the manufacturing process and initial key loading
Engage with a lab
Any POI device shall have received an EMV Level 1 LoA before being submitted to the PCI PTS POI evaluation. When your product is ready for evaluation, contact an accredited laboratory. You must send all the required documentation such as the PTS POI Security Requirements, security policy and other technical documents providing information about the security architecture and mechanisms of the device.
After completion of the evaluation which is composed of documentation review and physical testing of all hardware parts, the laboratory will send the evaluation report to PCI SSC for review.
Make sure to sign the Vendor Release Agreement, which is mandatory for enabling the laboratory to send the report directly to PCI.
Do not miss the periodical checks
As part of the PCI PTS evaluation rules, you must perform several checks during the overall lifecycle of a certified product. These delta evaluations performed periodically intend to validate the efficiency and compliance of your product with the current PCI PTS program guide.
There are 2 periodical checks to perform :
AOV, the PTS Attestation Of Validation, to confirm adherence to the PCI program guide -> annual
POI firmware assessment – to be done every 3 years when firmware validity expires. It is only mandatory for POI devices.
From 6.2 to 7.0
The PCI PTS POI Security Requirements have recently been updated, and the latest version of all POI evaluation documents V7.0 are now available on PCI SSC website.
As of now, payment terminal vendors can choose to submit their product to evaluation with the latest version of the security requirements, or the 6.2 version alternatively. The 2 versions will overlap until June 2026. Then all new products submitted to PCI PTS POI evaluation will have to comply with POI 7.0.