Payment Card Industry – PIN Entry Device was specifically designed to protect consumer PIN (Personal Identification Number) data from theft. It is also intended to enforce hardware security of devices that accept consumer PINs and house secret encryption keys of the acquirer, including how the PIN Entry Device (PED) is produced, controlled, transported, stored and used throughout its life cycle.

The new name reflects an expanding standards program that will continue to incorporate other parts of the PIN (Personal Identification Number) based payment chain beyond PED and other physical devices. The new name more accurately reflects the greater variety of device and non device types that play a role in PIN transaction security. For the sake of continuity this site will continue to refer to PED until the new PTS term has been properly socialized.

Both the PIN (Personal Identification Number) and PED Security Requirements have the common overall objective of protecting the cardholder's PIN during a financial transaction. PED Security Requirements (managed by the PCI-SSC) are primarily concerned with device characteristics impacting the security of the PIN Entry Device used by the cardholder during a financial transaction. The requirements also include device management up to the point of initial key loading, but the evaluation process only addresses device characteristics.

The PIN Security Requirements (managed by MasterCard and Visa) consist of 32 security requirements divided into seven logically related groups, which are referred to as Control Objectives. The PIN requirements are about process management-primarily dealing with the secure management of cryptographic keys throughout their lifecycle (key creation, conveyance, loading, usage, and administration). This results in a complete set of requirements for the secure management, processing, and transmission of Personal Identification Number (PIN) data during online and offline payment card transaction processing at attended and unattended point-of-sale (POS) terminals and for PIN processing at ATM's.

In cryptography Triple DES (3DES) is the common name for the Triple Data Encryption Algorithm (TDEA) block cipher, which applies the Data Encryption Standard (DES) cipher algorithm three times to each data block. Because the key size of the original DES cipher was becoming problematically short, Triple DES was designed to provide a relatively simple method of increasing the key size of DES to protect against brute force attacks without designing a completely new block cipher algorithm.

Consult with your Merchant Acquirer (credit card processor) on whether you can upgrade your terminal(s) to PCI PED compliant devices that support TDES encryption. Merchants that upgrade can do so by purchasing a PCI-PTS pin pad. If an internal pin pad is currently being used that is not compliant, a new external pin-pad may need to be purchased.

PCI-PTS-approved terminals are designed with physical security features including special tamper detection measures, which can render a terminal inoperative by erasing encryption keys. Tamper-resistant features should also make it unworkable for hackers to obtain personal cardholder information or financial data by attempting to access important electronic components of PIN pads or terminals.

You may access the standards via the PCI SSC site located at the following link: https://www.pcisecuritystandards.org/pdfs/PCI_PED_General_FAQs.pdf.