PCI DSS Compliance Blog

Personal Identification Number (PIN) Entry Device security requirements, or PED, is one of several industry-wide standards enforced by the Payment Card Industry Security Standards Council (PCI SSC).  These requirements are designed to keep cardholder’s PIN information secure during financial  transactions.  They apply to manufacturers of PIN pads and terminals with internal PIN pads.   

Criminal organizations are targeting PED terminals by installing “bugs” to collect credit card and debit information.  The fraudsters either insert a bug into a device in a retail store or they obtain the same PED model the retailer uses, install a bug into it, and then swap the rigged PED with the retailer’s device.  The information is then either sent wirelessly to a computer or is obtained when the criminal’s return to the store and again swap out the PEDs.   Newsnight, a current affairs and investigative program on the British Broadcasting Channel, produced an informative clip about PED fraud. 

In order to be PCI PED compliant, manufacturers must submit their devices for testing by a P CI SSC-approved laboratory.  The lab validates the following (from the PCI SSC website):

Device Characteristics 
1. Physical Security Characteristics (to prevent the device from being stolen from its location)
2. Logical Security Characteristics (to provide functional capabilities to ensure the device is working appropriately)

Device Management
1. Device Management during manufacturing
2. Device Management between manufacturer and initial cryptographic key loading
3. Considers how the PED is produced, controlled, transported, stored and used throughout   

The PCI SSC maintains a list of all approved PIN entry devices.  Merchants should only use these certified PEDs. 

In the past, PED Security Requirements had been overseen by JCB, MasterCard, and VISA.  PCI SSC took over authority in July 2007.  For more information on PED security requirements visit the PCI SSC website.

In response to a growing number of data security breaches, the major payment card brands came together to form the Payment Card Industry Security Standards Council.  Over the last few years, this council has developed a set of security requirements for all businesses that handle payment cards.  They apply to merchants, as well as software developers and manufacturers of applications used for payment card transactions.

The three major standards PCI SSC has developed are Payment Card Industry Data Security Standard (PCI DSS), for merchants and processors, Payment Application Data Security Standard (PA DSS), for developers and integrators, and PIN Entry Device Security Requirements (PCI PED), for manufacturers. 

The goal of PCI standards is to protect payment cardholder data.  According to Privacy Rights Clearinghouse, a non-profit consumer information and advocacy group, over 245 million data records of U.S. residents have been exposed due to security breaches since January 2005.  The largest data security compromise was made public in 2007.  A single major retailer, TJX, was found responsible for the loss of approximately 96 million credit and debit card numbers.  

The standards are reviewed on a regular basis to ensure they are up to date with current security concerns.  The PCI SSC’s participating organizations and board of advisors provide feedback during this review period.  For instance, the first version of PCI DSS requirements was released in September 2006 and in October 2008, a revised version was released (Version 1.2).

The five payment card brands that founded the PCI SSC are American Express, Discover, JCB, MasterCard and Visa.  Organizations in the industry—merchants, payment devices and services vendors, processors, financial institutions and others—are eligible for PCI SSC membership as participating organizations.  They influence the direction of PCI standards through involvement in community meetings and advance review of drafts of standards and supporting materials.