Frequently Asked Questions

< Back to search page

Does PCI DSS, PA-DSS, or PTS apply to ATMs?

FAQ Response

PCI DSS applies to entities involved in payment card processing or that otherwise store, process, or transmit cardholder data; the Payment Application Data Security Standard (PA-DSS) applies to payment applications that store, process, or transmit cardholder data as part of authorization or settlement; and Encrypting PIN Pads (EPPs) for ATMs and unattended payment terminals can be validated under the PIN Transaction Security (PTS) POI requirements.

While the Payment Card Industry Security Standards Council (PCI SSC) manages the payment security standards and related programs, each payment brand is responsible for their own compliance programs, including who must comply with the different standards, due dates for compliance, fines, etc. To determine whether ATMs must validate PCI DSS, PA-DSS, or PTS compliance, please contact the payment brands directly.

August 2013
Article Number 1223

Related Articles

Does a QSA need to be onsite at the client’s premises for all aspects of a PCI DSS assessment?

If a merchant develops an application that runs on a consumer’s device (e.g. smartphone, tablet, or laptop) that is used to accept payment card data, what are the merchant’s obligations regarding PCI DSS and PA-DSS for that application?

What are acceptable formats for truncation of primary account numbers?

What is the role of acquirers and assessors in determining the applicability of PCI DSS requirements for a merchant’s PCI DSS assessment?

Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for onsite assessments?