PCI Watch

Tracking changes across the Payment Card Industry
ℹ️
Reference Content: This is archived content from PCI Security Standards Council bulletins, preserved for tracking changes over time.
View Original →

PCI Security Standards Council bulletin on determination of PCI approval status for PTS devices

PDF




PCI Security Standards Council bulletin on determination of PCI approval status for
PTS devices

December 07, 2011

As noted in the PCI PIN Transaction Security (PTS) Device Testing and Approval Program Guide,
vendors may produce devices with the same model name/number in both PCI approved and non -
approved versions. This may occur for several reasons, including:
 Vendors manufacture and sell versions of these devices prior to making changes required to
achieve compliance to the PCI PTS requirements.
 Vendors may have customers who desire capabilities (e.g., allow loading of single component
plaintext secret keys, use of the same key for multiple purposes such as both PIN and key
encipherment, etc.) not allowed under the PCI PTS requirements.
 Vendors may obfuscate the versions they sell in order to market products as the approved
version that are less costly to produce than the actual approved version.
Background
PCI requires that the approved versions of devices must show the version numbers of hardware
and firmware like they have been approved and they are shown in the list of approved devices.
The hardware version number must be shown on a label attached to the device. The firmware
(including PTS listed applications if applicable) version number, and optionally the hardware
version number, must be shown on the display or printed during startup or on request.
The fields that make up the version numbers may consist of a combination of fixed and variable
alphanumeric characters. A lower-case "x" is used by PCI to designate all variable fields. The “x”
represents fields in the version numbers that the vendor can change at any time to denote a
different device configuration. Examples include: country usage code, customer code,
communication interface, device color, language etc.
The "x" field(s) has/have been assessed by the laboratory and PCI SSC as to not impact the
device’s security requirements or the vendor's approval. To ensure that the payment security
device has been approved, acquiring customers or their designated agents are strongly advised to
purchase and deploy only those payment security devices with the Hardware and Firmware #s
whose fixed alphanumeric characters match exactly the Hardware and Firmware #s depicted on
the PCI PTS Device Approval List.
For more information, please see the PCI PTS Device Testing and Approval Program Guide.
Action
In order to help ensure that entities deploying PTS devices deploy equipment that are the PCI
approved versions and are compliant to applicable Payment Brand mandates, PCI recommends:
 Entities purchasing devices only purchase devices that are compliant to the requirements for
labeling and displaying the hardware and firmware/application versions as stipulated above.
Furthermore, the version numbers must be in accordance with the version numbers listed on
the PCI website for that specific device model name/number. Devices not meeting the
aforementioned should not be considered the PCI approved product version.



 Vendors are issued approval letters for devices they submit for evaluation which receive PCI
approval. However, for various reasons, including revocation of approval, information on
those letters may become inaccurate. Therefore the PCI website is consid ered the
authoritative source and should always be used to validate the approval status of a vendor’s
product.
 Purchase orders for point-of-interaction PIN-acceptance devices must specify compliance to
the applicable PCI Point of Interaction Security Requirements document.