The Payment Card Industry (PCI) Security Standards Council has updated its requirements for payment device vendors to help address increased attacks against point of sale (POS) systems that allow interaction via a PIN. This new guidance also covers the manner in which payment devices are manufactured, stored, and transported to the merchants that end up using the devices.
The PCI Security Council now wants payment device vendors to demonstrate that changes in operational or environmental conditions do not compromise a device. This includes subjecting these POS devices (including PIN pads) to abnormal operating voltages or temperatures or outside normal range. Starting with this update, payment devices are also required to support vendor firmware updates. The device must cryptographically authenticate the firmware update and reject any update if it is unauthenticated.
Now vendors of PIN entry devices must ensure their devices cannot be modified while bring transported to a customer facility, and the opportunity for tampering is minimized.