The up-to-date version 5.0 for PCI PTS POI was released 10 months ago.
Starting in September 2017, all new devices submitted to PCI PTS evaluation shall support the 5.0 requirements, leading to a greater level of security on the new POS systems.
There is a list of changes impacting the logical part of the PCI evaluation, that Alcinéo takes into account in its PCI PTS POI software solution. These evolutions concern the core logical module and the SRED module (Account Data Protection).
Devices must support firmware update functionality. The objective of PCI Standard Security Council is to enhance the protection of cardholders’ sensitive data.
Changes in the Security Requirements :
- section B & K : devices MUST support firmware updates
- section K : the requirement for Independent Security mechanisms (K1.2) has been removed
and additional guidances are mentioned to K 1.1 requirement
Changes in the Derived Test Requirements (defining the tests to be performed by laboratories) :
- B9: Random Number – updated guidance on Deterministic Random Bit Generator
- B20 : Updated to reflect additional required information to be included in the POI security policy
- D1 : penetration protection : eliminated 10 hours minimum for exploitation time
All the changes mentioned above were released in the document from PCI SSC : POI – Summary of Requirements Changes.
Alcinéo is already developing logical modules according the 5.0 version, to provide the increased level of security required, and comply with the logical evaluation scope.
We support our customers during the development of their products and help them pass PTS evaluation. Our solution is based on a modular software approach, including Secure Boot Loader, Key Manager, Crypto Engine, and Secure Manager.
You will find all the necessary documents, Security Requirements, Vendor Questionnaire and summary of changes between v4.1 and v5.0, in the document library on the PCI website :