The Evolution of Payment Terminal Standards

Almost since the inception of payment terminals, there has been concern about criminals tampering with these devices to capture card information for fraudulent purposes. In 1997, Visa issued the first security requirements for PIN Entry Devices. Effective January 1, 2008, all newly deployed PIN entry terminals were required to meet this standard. Manufacturers did not have to submit terminals to independent labs for certification against this standard; rather they simply attested that the standard was met. In 2002, Visa enhanced their PED security program with additional security requirements and the requirement that terminals be submitted to a Visa approved lab for approval. In May of 2003, Visa announced that effective January 1, 2004, all newly deployed terminals must meet this standard and as of July 1, 2010, all installed terminals must have met this standard and independently tested by a lab.

In 2004, MasterCard and Visa agreed to develop one set of PIN Entry Device requirements, which became known as PCI PED. As part of this agreement they announced that all newly deployed terminals after January 1, 2008 must meet this requirement.

In 2005, the card associations (American Express, Discover, JCB, MasterCard and Visa) formed the PCI Security Standards Council to standardize payment standards they required retailers to adhere to (The PCI DSS or Data Security Standard). In September 2006, the PCI SSC announced that they would take over the management and development of the PED Standard, and they released the PCI PED 2.0 Requirements in April of 2007. Next in the evolution of Payment Terminal Standards will be the introduction of the PTS (PIN Transaction Security Program) at the PCI SSC community meeting in September 2009.

The following chart illustrates the timeline of the evolution of payment terminal standards.