Frequently Asked Questions

< Back to search page

How do PTS-approved payment terminals support PCI DSS compliance?

FAQ Response

The PCI PTS standards define physical and logical security requirements for different types of payment devices, including PIN-entry devices (PED) and other point of interaction (POI) devices. The PTS POI standard protects the PIN, which is the original objective of the PTS standard. Devices approved to PTS with SRED (Secure Reading and Exchange of Data) additionally encrypt account data. With SRED enabled on a PTS device, the PIN is protected and account data is encrypted. Payment terminals that have been approved to PCI PTS with SRED can facilitate PCI DSS compliance by providing strong security and encrypting account data.  Additionally, PCI PTS devices with SRED, when used as part of a PCI-listed P2PE solution, can facilitate PCI DSS scope reduction for merchants. The list of PTS-approved devices can be found at: Approved PIN Transaction Security (PTS) Devices

While use of PTS-approved payment devices can facilitate PCI DSS compliance, such devices do not by themselves guarantee PCI DSS compliance or reduce the scope of a merchant’s cardholder data environment. The boundaries of the cardholder data environment are not affected by the presence or absence of a PTS-approved terminal, and any terminal interactions with the merchant’s environment are in scope for a merchant’s PCI DSS implementation.   PTS approved devices must be reviewed during a PCI DSS assessment to confirm that they are configured properly and that the security functions and settings have not been disabled.  For example, the assessor would verify that the terminal has not been configured by the merchant to store sensitive authentication data after authorization or to transmit clear-text account data over the Internet.

It should be noted that while PCI DSS does not require the use of PTS-approved devices, some payment brands have requirements for the use of PTS-approved devices. Entities should contact their acquirer or the payment brands directly for information about any such requirements.

August 2014
Article Number 1301