Payment Card Industry – PIN Transaction Security (PCI-PTS)
PCI-PTS was specifically designed to protect consumer PIN data from theft. It is also intended to enforce hardware security of devices that accept consumer PINs and house secret encryption keys of the acquirer, including how the PIN Entry Device (PED) is produced, controlled, transported, stored and used throughout its life cycle.
The card brands mandated that, as of December 31, 2007, acquirers and merchants only deploy PCI-PTS approved devices. Furthermore, Visa set July 1, 2010, as the date by which unapproved devices must be removed from service.
There are two different parts to the Visa PCI-PTS mandate which are merchant-focused. They include:
- All never approved payment devices on which PIN debit transactions are conducted must be removed from service. This includes any device that is neither VISA PTS or PCI PTS approved.
- All debit card PINs must be encrypted in TDES from the payment device
View a full list of PCI-PTS approved devices.
PCI-PTS and Merchant Options
It may be possible for an existing PED terminal to be updated to meet PCI-PTS requirements, however your Merchant Acquirer will need to confirm this and the purchase of additional equipment may be necessary.
If you are a Sage Payment Solutions merchant, you should have received a link to the Merchant Validation Portal Wizard which contains a PCI-PTS component. By answering questions related to your terminal device(s), we should be able to determine whether you are using a PCI-PTS approved device(s); if so, whether the devices must be replaced or can be updated; and/or, whether the device(s) you are using are even subject to PCI-PTS validation.
