PCI PTS POI Evaluation FAQs – Technical – For Use with Version 5 May 2019
Copyright © 2013-18 PCI Security Standards Council, LLC. All Rights Reserved Page 10
Q 34 May 2011: For attack-potential calculations, if the same equipment used for the
identification phase can be reused for exploitation, the equipment cannot be accounted for
twice, but instead must be divided by two and spread equally over the two phases. Does a
similar rational apply where parts are reused?
A
No. While equipment readily lends itself to reuse for each exploitation, parts are typically a one-
time use for each exploitation. Each exploitation should have the same attack potential value.
Accounting for parts that are reused in the initial exploitation only in the Identification phase, or
even splitting between the Identification and Exploitation phases, will result in the initial
exploitation having a lower attack-potential value than the actual subsequent exploitations.
Therefore, parts used during the Identification phase that can be used in the initial exploitation
must be counted fully in the Exploitation phase to equalize the attack-potential value across all
exploitations. If it is not readily reusable (the part once used in installation becomes unusable for
exploitation because, for example, it is glued with epoxy and difficult to remove), it can be
accounted for twice—once in the Identification phase and again in the Exploitation phase.
Q 35 May (update) 2018: PIN entry devices may physically integrate in the same device other
functionality, such as mobile phone, PDA capabilities or POS terminal. Handheld
configurations of PIN entry devices may accommodate the attachment (e.g., via a sled,
sleeve or audio jack) of a mobile phone, PDA or POS terminal, where the attached device
communicates with the PED. Such a configuration appears as a single device, with
separate interfaces for input by the clerk and cardholder. What considerations must be
taken into account for either of these configurations?
A
For any device where the cardholder is expected to use the same interface for PIN entry as the
clerk would use for phone, PDA, payment application, etc. purposes, or where there are multiple
interfaces in a single integrated device, the integrated device must be physically and logically
hardened in accordance with the PTS POI security requirements.
In a handheld configuration with an attached device, there is a risk that the cardholder enters the
PIN on the wrong interface. Furthermore, the communication interface between the PED and the
attached device may give the latter access to MSR functions without cryptographic controls,
allowing skimming of card account data. In this integration model, then either:
▪ Both devices are assessed and validated as compliant to the PTS POI requirements, or
▪ The PED device, which must also control the card reader(s), must implement and be
validated against the PTS POI SRED module. The PED must enforce SRED functions for
encryption of card data at all times. The PED is only allowed one state, and that is to
encrypt all account data. It cannot be configured to enter a state where account data is not
encrypted.