PCI PTS POI Device Security Requirements v6
PCI PIN Transaction Security requirements for Point of Interaction (POI) devices including PIN entry terminals, unattended payment terminals, and mobile payment acceptance devices. Covers physical tamper resistance, logical security, firmware integrity, secure boot, key management, and vendor qualification across 7 evaluation modules. Required for all POI device types seeking PCI approval.
| Clause | Title | SP 800-53 Controls |
|---|---|---|
| A | Device Physical Security — tamper evidence, tamper response, and physical penetration resistance | |
| B | Logical Security — firmware integrity, secure boot, runtime protections, and debug interface controls | |
| C | PIN Entry Device Requirements — PIN pad security, PIN block formatting, and display/keypad isolation | |
| D | Key Management — PIN encryption key lifecycle, key injection, DUKPT/AES key schemes, and key loading security | |
| E | Communication Security — device-to-host encryption, TLS requirements, and communication channel integrity | |
| F | Software Security Requirements — application separation, privilege isolation, and secure update mechanisms | |
| G | Integration and Assembly Security — secure manufacturing, component provenance, and anti-counterfeiting | |
| H | Vendor Qualification and Development Practices — secure development environment, personnel security, and quality assurance | |
| I | Unattended Payment Terminal (UPT) Requirements — kiosk security, anti-skimming, and remote monitoring | |
| J | Open Protocol Requirements — contactless interface security, NFC protocol protection, and kernel isolation | |
| K | Device Management Lifecycle — provisioning, deployment, maintenance, decommissioning, and key destruction | |
| L | Accountability and Audit — event logging, tamper event recording, and device integrity attestation |