From 1 September to 30 September 2022, eligible PCI SSC stakeholders are invited to review and provide feedback on the PTS POI Modular Security Requirements v6.2 draft during a 30-day request for comments (RFC) period. The full list of stakeholders eligible to participate can be found on the PCI SSC RFC webpage.
The RFC will be available to primary contacts through the PCI SSC portal, including instructions on how to access the document and submit feedback. Eligible stakeholders will also receive instructions via email. As a reminder, participants are required to accept a Non-Disclosure Agreement (NDA) to download the document. Please review the RFC Process Guide for more information.
Please note that PCI SSC can only accept comments that are submitted via the PCI SSC portal and received within the defined RFC period.
Background on the PTS POI Modular Security Requirements v6.2
The PCI PTS POI Modular Security Requirements enhances security controls to defend against physical tampering and the insertion of malware that can compromise card data during payment transactions.
The updates in the RFC are designed to address industry needs by:
- Clarified PIN block translation requirements involving tokenized and real PANs when using a Secure Card Reader PIN (SCRP).
- Modified the time between receipt of enablement tokens by an SCRP from a maximum of ten minutes to a maximum of twenty-four hours before cessation of payment card acceptance.
- Clarified that the SCRP may continue to provide functions necessary for the resumption of payment card acceptance and processing by the SCRP, even when an enablement token is not provided within the acceptable time.
Additionally clarified that the Security Policy submitted by the vendor for the PCI website includes all device hardware and firmware options and their function.
Please review the RFC Process Guide and our resource guide: What to Know Before Participating in a PCI SSC RFC for more information on the PCI SSC RFC process.