PCI Watch

Tracking changes across the Payment Card Industry
ℹ️
Reference Content: This is archived content from PCI Security Standards Council bulletins, preserved for tracking changes over time.
View Original →

PCI Security Standards Council bulletin on PTS Version 2 Devices Eligible to be Updated for SRED

PDF



PCI Security Standards Council bulletin on PTS Version 2 Devices Eligible to be
Updated for SRED

February 15, 2012

PCI PIN Transaction Security (PTS) Point of Interaction (POI) Security Requirements 3.1 added
two new approval classes that facilitate the deployment of P2PE technology in payment card
security efforts, building on the Secure Reading and Exchange of Data (SRED) module previously
introduced in version 3.0 to support the secure encryption of account data at the point of
interaction.

Many organizations and merchants, however, are still using version 2.0 (v2) approved devices,
which do not support the SRED module introduced in version 3.0 (v3).

As compliance with the SRED module is necessary to take advantage of the updated
requirements for deploying point-to-point encryption (P2PE), the Council is providing a twelve
month window for vendors to make the necessary hardware and/or firmware changes for
previously approved PTS v2 devices to meet the SRED module, and if applicable, the open
protocols module. As a delta evaluation, the v2 approved device may leverage requirements that
it previously met in v2 where those requirements parallel SRED requirements. For example, the
devices may utilize algorithms and key sizes allowed in v2 in lieu of those specified in SRED for
requirements in SRED that were previously addressed during the v2 evaluation. In a similar vein,
the v2 device may utilize v2 attack potential calculations for SRED requirements previously
addressed under v2.

This period runs from January 1, 2012 to December 31, 2012.

Interested vendors should determine which v2 approved devices in their product portfolios should
be enhanced for SRED, and in addition to SRED, if applicable, open protocols support .

This is the first time the Council has allowed devices approved under one major version of
requirements to be evaluated against requirements in another major version.

The existing approval expiration of April 2017 for version 2 devices continues intact.