Why “Can you sell me a PCI DSS Certified Reader?” is the wrong question?
“Can you please assist me by providing a PCI DSS Certificate for these devices?” or "I don't see X product on the PCI website, is it P2PE certified?" are common questions asked by customers about ID TECH products, but these kinds of questions are often based on faulty assumptions. If the assumption is that non-PCI-certified devices are inherently less secure than PCI-certified devices, that's simply not correct.
ID TECH can supply PCI PTS SRED certified hardware (SREDKey, Augusta S, Spectrum Pro, etc.), but our non-SRED devices are still excellent, highly secure devices that can be used for most payment solutions being developed for the market.
PCI DSS is a systems solution requiring certification of all aspects of a payment system, not just the hardware device(s). PCI DSS includes 12 specific requirements about how a compliant solution must handle security of access and cardholder data.
Control objectives | PCI DSS requirements |
Build and maintain a secure network | 1. Install and maintain a firewall configuration to protect cardholder data |
2. Do not use vendor-supplied defaults for system passwords and other security parameters | |
Protect cardholder data | 3. Protect stored cardholder data |
4. Encrypt transmission of cardholder data across open, public networks | |
Maintain a vulnerability management program | 5. Use and regularly update anti-virus software on all systems commonly affected by malware |
6. Develop and maintain secure systems and applications | |
Implement strong access control measures | 7. Restrict access to cardholder data by business need-to-know |
8. Assign a unique ID to each person with computer access | |
9. Restrict physical access to cardholder data | |
Regularly monitor and test networks | 10. Track and monitor all access to network resources and cardholder data |
11. Regularly test security systems and processes | |
Maintain an information security policy | 12. Maintain a policy that addresses information security |
In reading the requirements, there is no statement regarding what peripheral payment hardware PCI requires solution providers to include in their solution. PCI is mostly concerned that you meet the requirements, and not so much with how you meet the requirements. When a solution provider goes for PCI DSS certification, they could use an unencrypting reader, but that could open up the solution to additional scrutiny with regard to how the system is handling information. By using an encrypting card reader, where the merchant has no ability to decrypt the card data locally nor within their environment (using 3rd party gateway), it's likely the QSA can realize scope reduction in requirements #3, #4, and #9 (but it is up to the auditor to determine the level of scope reduction).
The only hardware that PCI certifies is PCI PTS (PIN Transaction Security) devices, which is where the SRED requirement resides. Non-SRED encrypting devices do not contain the necessary tamper mechanisms required for a product to qualify for SRED; therefore, ID TECH has not submitted such devices for PCI PTS SRED certification. ID TECH encrypting devices can technically be considered PCI compliant, because they are used in many currently certified PCI DSS solutions, but the readers themselves are not “PCI certified.” The PCI certification applies to the entire solution. It is not a device-level standard.
There is a common misconception within the payments industry regarding what "P2PE" is. Many times, when people say "P2PE," they really mean E2EE (end-to-end encryption). When a merchant is deploying a payment system that provides hardware-level encryption of a type that provides only encrypted cardholder data to the POS application, which then passes that payment packet (containing the encrypted data) to the payment gateway, that is considered "end-to-end" encryption. P2PE (Point to Point Encryption) is an official PCI certification that involves all aspects of the transaction, from the hardware used (which must be SRED), the deployment environment, data handling (which must be maintained to P2PE regulations), the payment application, and the key injection and decryption facility. Merely having a SRED device in place does not make a system P2PE-compliant.
What is the proper response to a customer asking about PCI certification for a non-SRED product? One way to respond is: “While the device called X does not, itself, qualify for PCI PTS certification, X is an encrypting reader and has been used in many PCI DSS certified solutions without any issues." You can also add: "If additional clarifications about how X handles the protection of cardholder data would be helpful, I would be glad to schedule a call between you, my product manager, and your auditor.”