The Security Standards Council of the Payment Card Industry (“PCI”) announced updates to its payment device standard, which will enable stronger protections for cardholder data, including data such as cardholders’ personal identification numbers (PINs) and cardholder data stored on the magnetic stripe of cards or on mobile devices. The updated standard addresses the increased threats and attacks aimed at point-of-sale and point-of-interaction systems.
Payment devices that acquire magnetic stripe information from customers remain a top target for data thieves, and PCI’s new standard focuses on improving protection at cash machines, in-store and unattended terminals, and mobile devices used for payment transactions. According to PCI, the updated standard emphasizes enhanced security controls in order to prevent physical tampering and the insertion of malware during payment transactions.
“Criminals constantly attempt to break security controls to find ways to exploit data. We continue to see innovative skimming devices and new attack methods that put cardholder data at risk for fraud,” said PCI Security Standards Council Chief Technology Officer Troy Leach. “Security must continue to evolve to defend against these threats. The newest PCI standard for payment devices recognizes this challenge by requiring protections against advancements in attack techniques.”
While the adoption of the EMV chip has improved protections against consumer fraud, no technology is bulletproof, acknowledged PCI Security Standards Council General Manager Stephen Orfei. “In this ongoing battle against criminal attacks, we must continue to adapt the way we secure payments. With the latest PCI device standard, PCI is driving the evolution of global industry data security standards that protect payment transactions now and in the future.”
The PCI PTS POI Modular Security Requirements version 5.0 is currently available for payment device evaluations. PCI will retire version 4.1 in September 2017 for evaluations of new payment devices.