The PNC PCI DSS compliance programme
Merchants and acquirers need to know that all installed products are fulfilling the PCI DSS requirements for cardholder data handling. Nordic acquirers are therefore via Pan Nordic Card Association (PNC) running a PCI DSS Compliance programme to ensure that only PCI DSS Compliant products are installed from 1 January 2010 and that all existing installations are meeting the PCI DSS requirements by 1 July 2012.
Merchant scope reduction
If the merchant cannot access electronic cardholder data, the number of applicable PCI DSS requirements is fewer for the merchant. This is possible to achieve if all of the following is validated:
- the cardholder data is only handled by an EMV POS terminal that encrypts the cardholder data when the card is read,
- the cardholder data can only be decrypted by a compliant payment service provider and
- cardholder data is not handled in any other system than the encrypting EMV POS terminal. These encrypting EMV POS terminals are either: End-to-End Encryption-validated EMV POS terminals (E2EE terminals) or Point to Point Encryption-certified EMV POS terminals (P2PE terminals).
Two options
Electronic Cash Register- (ECR), Unattended Payment Terminal- (UPT) and Card Interface- (CI) vendors have two options for making sure that their products comply with PCI DSS:
| Option 1 |
Option 2 |
| ECR-, UPT- and CI-vendors who are integrating their products towards E2EE- or P2PE-terminals and are not handling cardholder data are requested to use the form Self Assessment - No cardholder data handling (Self Assessment - No cardholder data handling - Ver A Final.docx) to provide evidence to their merchant customers and the merchants' acquirers that their products do no handle cardholder data. For more information, please see the form. |
ECR-, UPT- and CI-vendors who are integrating their products towards other terminals than E2EE- or P2PE-terminals usually cannot provide evidence to reduce the number of applicable PCI DSS requirements for their merchant customers. If the product is handling cardholder data it has to be PA-DSS-certified. PA-DSS[1] is a supporting standard to the PCI DSS standard and is used to validate that Payment Applications, such as ECRs, are handling cardholder data according to the PCI DSS standard. |
Dates
Effective 1 January 2010, all newly installed Point of Sale (POS), Electronic Cash Register- (ECR), Unattended Payment Terminal- (UPT) and Card Interface- (CI) shall either comply with option 1 or option 2 above.
Effective 1 July 2012, all existing Point of Sale (POS), Electronic Cash Register- (ECR), Unattended Payment Terminal- (UPT) and Card Interface- (CI) shall either comply with option 1 or option 2 above.
Lists of validated products
List 1A: List of Self-assessments - No cardholder data handling (02/02/2012)
List 1B: List of PA-DSS Self-assessed Payment Applications (12/12/2011) (Please note that this list is not updated after 12 December 2011)
List 2: List of E2E Validated EMV POS terminals (6/12/2011)
List 3: List of Validated Payment Applications
Unattended Payment Terminals (UPTs)
Effective 1 January 2010: All newly-installed and reinstalled UPTs are to fulfil the PCI requirements for Unattended Payment Terminals. The review can be performed by a PNC SAC-recognised lab or a PCI SSC-recognised lab. The requirements are found on
Link to the The PNC best practices for UPTs.
E-commerce requirements
All existing solutions hosted or PCI DSS validated according to the requirements of the acquirer. CVV2 and CVC2 must be erased.