PCI PTS for Smart Card Terminals

PCI PTS for Smart Card Terminals

PCI PIN Transaction Security (PCI PTSPCI PTSCompliancePayment industry standard for PIN entry device security.Click to view →) is the Payment Card Industry standard that governs the security of PIN entry devices and point-of-interaction (POI) terminals used in card-present transactions. Managed by the PCI Security Standards Council (PCI SSC), PTS approval is mandatory for any device that captures a cardholder PIN or sensitive account data before sending it to an acquiring host.

Use the Cost Estimator to model certification timelines and laboratory fees for a new terminal programme.

What PCI PTS Covers

PTS is not a single standard — it is a family of modular documents, each targeting a different hardware category:

An EMV chip card transaction processed at a PTS-approved terminal benefits from end-to-end PIN encryption: the PIN is encrypted inside the tamper- resistant security module (TRSM) and never appears in plaintext outside it.

POI Device Approval Process

Achieving PTS approval for a new terminal follows a structured path:

1. Select a PCI SSC-recognised laboratory. The PCI SSC maintains a list of Qualified Laboratory (QL) assessors. Early engagement with a lab helps identify which PTS version to target (currently v6.x for POI).

2. Design review. The lab reviews schematics, firmware architecture, and penetration testing plans. Physical attack resistance — including mesh overlay sensors, battery-backed volatile memory for key zeroisation, and epoxy-encased keypad circuitry — must meet defined thresholds.

3. Source code review. PIN-handling firmware is audited for timing side-channels (SPA/DPA mitigations), buffer overflows, and hardcoded keys.

4. Laboratory testing. The lab conducts physical penetration tests, voltage glitching, environmental stress, and communication-interface attacks. Logical testing covers APDU command fuzzing and key injection procedures.

5. PCI SSC review and listing. Approved devices appear on the PCI SSC's Approved PTS Devices list. Listings include the approval date and sunset date (typically 5 years from approval; devices may be used in the field for a further 3 years).

Key Security Requirements

DUKPT Key Management

Derived Unique Key Per Transaction (DUKPT, ANSI X9.24 Part 1) is the dominant key management scheme for PTS-approved devices. Each transaction uses a unique derived key, so compromise of one transaction key does not expose past or future transactions:

Base Derivation Key (BDK)  →  stored in HSM only
         ↓  (injected at factory)
Initial PIN Encryption Key (IPEK)  →  stored in terminal
         ↓  (per-transaction derivation)
Transaction Key  →  used once, discarded

The terminal maintains a 21-bit counter. After 1,048,576 transactions the terminal must be re-keyed. Modern terminals increasingly adopt AESAESCryptographyNIST symmetric block cipher for smart card encryption.Click to view →-DUKPT (ANSI X9.24 Part 3) for 128/256-bit key strength.

PTS Version Lifecycle

Acquirers and payment brands may mandate higher versions than the minimum sunset date implies. Visa and Mastercard regularly issue bulletins accelerating sunset timelines for older hardware.

Relationship to EMV and PCI DSS

PTS approval certifies the device; it does not replace EMV chip certification (which certifies the card and kernel interaction) or PCI DSSPCI DSSComplianceSecurity standard for payment card data environments.Click to view → (which certifies the merchant's overall cardholder data environment). A compliant payment deployment requires all three frameworks to be satisfied concurrently.

See the EMV Transaction Flow Guide and the Common Criteria Evaluation Process for the overlapping security evaluation landscapes.