What is PCI-PTS
PCI-PTS is a standard defined by the Payment Card Industry Security Standards Council or PCI SSC (American Express, Discover, JCB international, MasterCard and Visa Inc) and that addresses the logical and physical protection of the cardholder and other sensitive data in payment security devices. A payment security device can be a point of interaction (POI) device or a Hardware Security Module (HSM).
This standard evaluates the products against a common module of requirements that refer to safe construction and design of the devices and another set of optional requirements depending on the features implemented by the module such communication with wireless standard or the ability to encrypt account data (SRED).
Generally, manufactures are responsible for providing the Vendor Questionnaire and Security Requirements documents filled and for generating the additional evidences and documentation package to be submitted to an accredited PCI-PTS laboratory. However, this assignment can be frustrating for the manufacturers because they usually do not know what documents are necessary to be generated and what should be their content in order to comply with the required by the Derived Test Requirement (DTR) document and by the Frequently Asked Questions document that is updated periodically.
Do not hesitate and call us to get more information about PCI-PTS consulting, our expert evaluation team will assist you to get your module successfully validated reducing the evaluation time and with a lower cost and resources.
This new security standard has been approved by the PCI Security Standards Council (PCI SSC) for smartphones or other contactless payment devices like wearables, tablets, etc. known as COTS (commercial off-the-shelf).
The PCI CPoC standard brings security and testing requirements for products that support contactless payments on a commercial COTS device using a built-in NFC reader.
The certification process is similar to the one carried out for PCI-PTS. Once the product is validated under PCI CPoC Standard, will be listed on the PCI SSC website, where the buyers can find the solutions that have been developed and lab-tested to protect contactless payment data.
PCI-PTS & PCI- CPOC validation process
In order to get a POI or HSM device approved by PCI-SSC, firstly, it is necessary that the manufacturer contact a PCI-recognized laboratory and complete the PCI forms. Secondly, the vendor must provide the lab with three working devices and documentation package, and finally, once the evaluation has been finished with success, the PCI laboratory must send the report to the PCI-SSC and the module is listed on the Approved PTS Devices website.
The evaluation process carried out by the lab consists on the validation of the POI or HSM evaluating the responses provided by the manufacturer to the POI or HSM Security Requirements and the additional documentation evidences as the Vendor Questionnaire, Security Policy, Developers guidance, Software quality procedures, etc.
The assignment of generating the huge amount of additional documentation evidences to be provided in addition to the Security Requirements can be a torture for anyone who is not used to dealing with security certification documentation. The main difficulty relies on that the Vendor Questionnaire is a document that contains several hundreds of questions to be answered and to be related to the rest of documents, therefore, when a manufacturer tries to face it without consultancy, it usually results in long delays in the module development and certification.
After a preliminary GAP analysis, our team will support you during the whole evaluation process identifying and generating the additional documents required to comply with the PCI-PTS, PCI-CPoC standard depending on your device design and functionality.
Ask about our PCI-PTS, PCI-CPoC consulting service and get your product on the Approved Devices website reducing the time of validation and getting a better beneficial for you based on our experience and our recognition as valued consultants for laboratories.
They already trusted us. Let's talk!
What we offer?
We check the current status of your device and documentation informing you about the changes you need to carry out before going through the development/certification process.
This service is quite interesting in PCI-PTS, PCI-CPoC given a POI or HSM device must meet some specific requirements depending on its features and having a clear understanding of them, avoid to find issues at the last stages of the development.
We offer you the maximum support during the evaluation process in order to get your module validated as soon as possible.
Answering the Vendor Questionnaire questions and generating the additional required documents is not a trivial task if you are not used to.
We can do it for you allowing you to focus on your product and saving your time, money and resources.
Does your team need to gain more knowledge in PCI-PTS or PCI-CPoC? We can provide you a customized training.
After this training, your team will be able to write PCI-PTS, PCI-CPoC documentation on their own.