The PCI Security Standards Council (PCI SSC) has published a major revision to PCI PIN Transaction Security (PTS) Point-of-Interaction (POI) Modular Security Requirements from version 6.2 to version 7.0. The PCI PTS POI Modular Security Requirements document enhances security controls to defend against physical tampering and the insertion of malware that can compromise card data during payment transactions.
PCI PTS POI v7.0 includes 59 requirement changes and 23 pieces of additional guidance. These significant changes are the result of stakeholder feedback following two Request for Comment (RFC) periods in 2024. Some of these changes, designed to address industry needs, include:
- Added a new requirement for the physical/logical security of biometric interfaces.
- Added a new requirement to allow the use of third-party applications (e.g., app stores).
- Added consideration for secret or private keys that are not zeroized in the event of tamper if forward secrecy is used, and extraction of these keys requires the destruction of the processing element using the key.
- Specified that terminal security keys, such as firmware authentication, tamper/storage keys, etc., must use cryptography that implements an effective key strength of 128 bits or stronger.
- The addition of an option to provide a PIN-entry feature designed for accessibility which may be made available on a per-transaction basis.
The following documents related to the PTS POI v7.0 Standard can be found in the PCI SSC Document Library:
- PCI PTS POI Modular Security Requirements v7.0
- PCI PTS POI Summary of Changes from v6.2 to v7.0
- PCI PTS POI Modular Derived Test Requirements v7.0
