PCI Watch

Tracking changes across the Payment Card Industry

Document Comparison

PCI_PTS_POI_SRs_v6-1.pdf PCI_PTS_POI_SRs_v6.2.pdf
98% similar
55 → 55 Pages
16349 → 16451 Words
16 Content Changes

Content Changes

16 content changes. 53 administrative changes (dates, page numbers) hidden.

Added p. 7
Note: ASC X9 TR 31: Interoperable Secure Key Exchange Key Block Specification has been classified as ‘historical’ by ANSI and X9.143 Retail Financial Services: Interoperable Secure Key Block Specification is the newer version. All references to TR-31 are updated to X9.143.
Added p. 22
Note: Regardless of integration, both enciphered and clear-text PINs must be provided for.
Modified p. 1
Payment Card Industry (PCI) PIN Transaction Security (PTS) Point of Interaction (POI) Modular Security Requirements Version 6.1
Payment Card Industry (PCI) PIN Transaction Security (PTS) Point of Interaction (POI) Modular Security Requirements Version 6.2
Modified p. 2
March 2022 6.1 Added requirement for unauthenticated wireless communications. Note to Assessors When protecting this document for use as a form, leave Section 5 (Device Photos) unprotected to allow for insertion of a device or component photos. Under “Tools / Protect Document,” select “Forms” then “Sections,” and un-check Section 5 as illustrated below.
January 2023 6.2 Modified B26, ANSI reference change Note to Assessors When protecting this document for use as a form, leave Section 5 (Device Photos) unprotected to allow for insertion of a device or component photos. Under “Tools / Protect Document,” select “Forms” then “Sections,” and un-check Section 5 as illustrated below.
Modified p. 9
* Fields marked with an asterisk (*) will be used in the PCI SSC Approved PIN Transaction Security Devices Approval List. A See “Optional Use of Variables in the Identifier,” page 8.
* Fields marked with an asterisk (*) will be used in the PCI SSC Approved PIN Transaction Security Devices Approval List.
Modified p. 18
The ICC reader is constructed so that wires running out of the slot of the IC reader to a recorder or a transmitter (an external bug) can be observed by the cardholder.
The ICC reader is constructed so that wires running out of the slot of the IC reader to a recorder or transmitter (an external bug) can be observed by the cardholder.
Modified p. 21
B16.2 The vendor must provide clear security guidance consistent with D1 and B4 to all application developers to ensure:
B16.2 The vendor must provide clear security guidance consistent with D2 and B4 to all application developers to ensure:
Modified p. 22
B21 PIN protection during transmission between the device encrypting the PIN and the ICC reader (at least two must apply):
B21 PIN protection during transmission between the device encrypting the PIN and the ICC reader.
Modified p. 22
If the device encrypting the PIN and the ICC reader are not integrated into the same secure module, and the cardholder verification method is determined to be:
If the PIN entry device and the ICC reader are not integrated into the same secure module, and the cardholder verification method⎯i.e., required by the IC card⎯is determined to be:
Modified p. 22
If the device encrypting the PIN and the ICC reader are integrated into the same secure module, and the cardholder verification method is determined to be:
If the PIN entry device and the ICC reader are integrated into the same secure module, and the cardholder verification method is determined to be:
Modified p. 22
• A clear-text PIN, then encipherment is not required if the PIN block is transmitted wholly through a protected environment (as defined in ISO 9564). If the clear-text PIN is transmitted to the ICC reader through an unprotected environment, the PIN block shall be enciphered in accordance with ISO 9564.
• A clear-text PIN, encipherment is not required if the PIN block is transmitted wholly through a protected environment (as defined in ISO 9564). If the clear-text PIN is transmitted to the ICC reader through an unprotected environment, the PIN block shall be enciphered in accordance with ISO 9564.
Modified p. 23
B26 Secure enablement tokens are required from the SPoC monitor system for operation of the SCRP.
B26 Secure enablement tokens are required from the attestation and monitoring system for the SCRP to accept and/or process payments. .
Modified p. 29
E4 The device is assembled in a manner that the hardware components used in the manufacturing process are those hardware components that were certified by the PIN Entry and/or POS Terminal Integration Security Requirements evaluation, and that unauthorized substitutions have not been made.
E4 The device is assembled in a manner that the hardware components used in the manufacturing process are those hardware components that were certified by the PIN Entry and/or POI Terminal Integration Security Requirements evaluation, and that unauthorized substitutions have not been made.
Modified p. 32
Note: In the following requirements, the device under evaluation is referred to as the “device.” The device manufacturer, subject to Participating Payment Brand site inspections, confirms the following. The PCI test laboratories will validate this information via documentation reviews and by means of evidence that procedures are properly implemented and used and that this information shall be included in the evaluation report to PCI.
Note: In the following requirements, the device under evaluation is referred to as the “device.” The device manufacturer, subject to Participating Payment Brand site inspections, confirms the following. The PCI test laboratories will validate this information via documentation reviews and by means of evidence that procedures are properly implemented and used, and that this information shall be included in the evaluation report to PCI.
Modified p. 38
The SCRP column is used as an example of applicability for a specific POI approval class. In general, requirements applicable to SCRP are the same as SCR. However, by definition SCRPs will always handle the PIN, and those requirements will always be applicable, whereas an SCR will not necessarily handle the PIN.
The SCRP column is used as an example of applicability for a specific POI approval class. In general, requirements applicable to SCRs are the same as SCRPs. However, by definition SCRPs will always handle the PIN, and those requirements will always be applicable, whereas an SCR will not necessarily handle the PIN.
Modified p. 52
With asymmetric cryptographic techniques, such as RSA, there are four elementary transformations: sign and verify for signature systems and encipher and decipher for encipherment systems. The signature and the decipherment transformations are kept private by the owning entity, whereas the corresponding verification and encipherment transformations are published. There exist asymmetric cryptosystems⎯e.g. RSA⎯where the four elementary functions may be achieved by only two transformations: one private transformation suffices for both signing and decrypting messages, and one public transformation suffices for both …
With asymmetric cryptographic techniques, such as RSA, there are four elementary transformations: sign and verify for signature systems and encipher and decipher for encipherment systems. The signature and the decipherment transformations are kept private by the owning entity, whereas the corresponding verification and encipherment transformations are published. There exist asymmetric cryptosystems⎯e.g., RSA⎯where the four elementary functions may be achieved by only two transformations: one private transformation suffices for both signing and decrypting messages, and one public transformation suffices for both …