The Payment Card Industry Security Standards Council has added unattended payment terminals and hardware-security modules to its testing program for PIN-entry devices, the council announced last week.
PCI-approved labs already evaluate many unattended devices as well as those attended by cashiers or sales clerks. But now PCI-approved laboratories will test unattended terminals and hardware-security modules according to security criteria designed specifically for those devices.
And the council will post lists of approved devices and provide related training and documentation to testing labs, merchants and vendors.
Unattended payment terminals include automated fuel pumps, vending machines, and self-service kiosks that accept credit and debit cards.
Merchant acquirers use cryptographic hardware security, or "host," modules, to translate PINs, personalize cards, protect data and conduct electronic commerce.
Unattended payment terminals, particularly older models, are vulnerable to data-security attacks, says Gartner Group analyst Avivah Litan. "A lot of gas pump [terminals] are using very old technology that's subject to PIN attacks," says Litan, referring to methods thieves use to capture cardholder PINs from PIN-entry devices.
However, changing unattended terminals on fuel pumps can prove difficult because upgrades often require replacing entire pumps, not just the terminals, Litan notes.
Authoritative analysis and perspective for every segment of the payments industry
Authoritative analysis and perspective for every segment of the industry
Have an account? Sign In