The Payment Card Industry Standards Council has added unattended payment

terminals and hardware-security modules to its testing program for PINentry

devices, the council announced last week.

PCI-approved labs already evaluate many unattended devices as well as those

attended by cashiers or sales clerks. But now PCI-approved laboratories will test

unattended terminals and hardware-security modules according to security

criteria designed specifically for those devices.

And the council will post lists of approved devices and provide related

training and documentation to testing labs, merchants and vendors.

Unattended payment terminals include automated fuel pumps, vending machines,

and self-service kiosks that accept credit and debit cards.

Merchant acquirers use cryptographic hardware security, or "host," modules, to

translate PINs, personalize cards, protect data and conduct electronic commerce.

Unattended payment terminals, particularly older models, are vulnerable to

data-security attacks, says Gartner Group analyst Avivah Litan. "A lot of gas

pump [terminals] are using very old technology that's subject to PIN attacks,"

says Litan, referring to methods thieves use to capture cardholder PINs from

PIN-entry devices.

However, changing unattended terminals on fuel pumps can prove difficult

because upgrades often require replacing entire pumps, not just the terminals,

Litan notes.

Subscribe Now

Authoritative analysis and perspective for every segment of the payments industry

14-Day Free Trial

Authoritative analysis and perspective for every segment of the industry