Navigating the PCI PTS POI Security Transition
An essential guide for understanding the shift from version 5 to version 6 of the Payment Card Industry’s Point of Interaction standard, with a focus on ATM security.
The Countdown to Compliance
The final deadline for all devices to meet the PCI PTS POI v6 standard has been updated.
The Timeline of Change
September 2016
PCI PTS POI v5 Issued
Version 5 was released, introducing new requirements for device security, focusing on protecting against evolving threats and securing firmware updates.
June 2021
PCI PTS POI v6 Announced
Version 6 was published to address emerging threats from mobile payments, IoT devices, and software-based PIN entry, preparing the industry for the future of payments.
April 30, 2024
v5 Approvals Expire
The final date for existing, approved v5 devices. After this date, device vendors can no longer manufacture and sell these models as newly compliant.
September 2025
BREAKING NEWS: Deadline Extended
The PCI Council has extended the mandatory v6 compliance deadline to April 2027 to give organizations more time to adapt.
April 2027
v6 Compliance Becomes Mandatory
All newly deployed POI devices must be validated against the v6 standard. This is the final transition point for the industry.
ATM Security Under PTS POI
Automated Teller Machines (ATMs) are high-value targets for criminals. The PCI PTS POI standard provides a framework for securing these unattended terminals, covering all critical points of interaction to protect both the hardware and the cardholder data it processes.
The Scope of Protection
The standard is comprehensive, addressing the key pillars of device security to create a robust defense-in-depth strategy.
Physical Security
Measures to detect and respond to tampering, such as opening the device casing, drilling, or attempts to install skimming hardware.
Logical Security
Protection against software-based attacks, ensuring the integrity of the operating system, secure loading of firmware, and preventing unauthorized code execution.
Device Management
Secure processes for key loading, device configuration, and remote software updates throughout the device’s lifecycle.
Common Pitfalls for ATM Deployers
Achieving and maintaining compliance is challenging. Many ATM deployers face significant risks due to overlooked gaps between their assumed security posture and the reality of their deployed hardware and software.
This chart illustrates the dangerous gap where deployers assume high compliance based on initial purchase orders, while the reality is eroded by unmanaged servicing, software updates, and inadequate inventory tracking.
Your Path to v6 Compliance
Conduct Full Audit
Perform a physical and logical inventory of every component in your ATM fleet. Don’t rely on outdated purchase records.
Verify All Components
Cross-reference the serial numbers and firmware versions of EPPs, card readers, and controllers against the official PCI SSC approved devices list.
Implement Change Control
Enforce strict policies for service technicians to ensure that any “break-fix” replacement uses only certified and like-for-like components.
Validate Software Updates
Ensure any software, firmware, or XFS component updates are explicitly certified for the hardware they are deployed on to avoid non-compliance.