• PCI DSS requirements
• Security Specifications
• Security req.'s and guidelines
• Info from PNC-SAC
• Swedish Specifications

Security requirements and guidelines

PNC SAC documents are in general only updated on 1 October and 1 April. A document version is valid six months after a new version has been published.


PIN Transaction Security Device Review
This document presents the PNC SAC PIN Transaction Security Device Review Requirements.

Review Report - Ver A Final.pdf (2011-10-14)

The terminal vendor, who wants to validate product compliance with (VISA BEST PRACTICES - Data Field Encryption, Version 1.0 2009), is to make sure that the POI terminal solution fulfils the best practice requirements, is both self assessed and third party validated and that the signed reports of the two assessments are provided to PNC.

E2EE Validation
The process is described in the document below:

E2EE Evaluation - Ver E Final.pdf

The forms for POS POI terminals and UPT Components are found below.

E2EE Evaluation Form - POI - Ver E Final.docx
E2EE Evaluation Form - UPT - Ver E Final.docx

Terminal vendors are recommended to use version E to validate product compliance with (VISA BEST PRACTICES - Data Field Encryption, Version 1.0, 2009).

Validations based on the previous version of the E2EE-validation document, SAQ AOC VBP DFE Ver D Final.docx, is not recommended but can be submitted to PNC until 30 November 2011. No approval is made according to SAQ AOC VBP DFE Ver D Final.docx after 21 December 2011.


Keyboard layout
Effective 1 June 2011: It is recommended that all new POS POI Terminals use the SS-EN 1332-3:2008 keyboard layout.

Visual Shield
Effective 1 January 2011: All new POS POI Terminals are to use visual shields. The only exception to this best practice is for truly handheld devices.

Visual Shield - Ver D Final.pdf (2011-11-21)


Unattended Payment Terminal (UPT)
An UPT is a POS POI device where the transaction is initiated by the cardholder, and there is no immediate merchant support available. These include terminals such as: Automated fuel dispensers; Kiosks; and Self-service devices – ticketing/vending or car parking terminals.

This document presents the PAN Nordic Security Advisory Committee (PNC SAC) Best Practices for fulfilling the PCI, EMV and brand requirements for Unattended Payment Terminal (UPT) solutions both for UPTs and non-PIN UPTs. A non-PIN UPT is a POS device where the transaction is initiated by the cardholder, and there is no immediate merchant support available and no CVM is performed. These are primary intended for low value payments and includes terminals such as: Self-service devices for ticketing/vending, road tolls and car parking.

Effective 1 January 2010: All newly-installed and reinstalled UPTs are to fulfil the PCI requirements for Unattended Payment Terminals. The review can be performed by a PNC SAC recognised lab or a PCI SSC recognised lab.

The process is described in:
Unattended Payment Terminal - Ver D Final.pdf (2011-10-31)

The form with the requirements are found in:
Unattended Payment Terminal Form - Ver D Final.docx (2011-10-31)

Templates for documents that are requested are found in:
Unattended Payment Terminal Templates - Ver D Final.docx (2011-10-31)

Guidelines for PIN Transaction Security Device and Unattended Payment Terminal Reviews
The PNC SAC Review Guidelines presents review guidelines for third party auditors.

Review Guidelines - Ver A Final.pdf (2011-03-15)

Self Checkout Point
A Self Checkout Point is an EMV POS terminal solution where the customer scans the goods and performs the card payment himself under the surveillance of an operator. This document presents the PNC SAC Best Practices for fulfilling the brand requirements for Self Checkout Points. It also presents recommendations for Self Checkout Points.

Please note that if the self checkout point does not fulfil all requirements described in the Best practice document, it will be considered a UPT and will be subject to fulfilling the UPT requirements.

Self Checkout Point - Ver A Final.pdf (2010-11-25)
Self Checkout Point - Forms - Ver A Final.docx (2010-11-25)


Hardware Security Module (HSM)
No market specific requirement exist on Hardware Security Modules (HSMs) for PIN Transaction Security (PTS). HSMs are to meet international HSM requirements defined by the international payment brands in PCI.

Hardware Security Module - Ver A Final.pdf (2010-11-18)


Old documents that are no longer valid
ped_sw_development_051212.pdf
PED_clear_text_rules_050622.pdf
recommended_crypto_methods_071203.pdf

PAN-Nordic Card Association är en organisation för banker verksamma i den nordiska kortindustrin. PAN-Nordic Card Association är verksam i Sverige, Danmark, Norge, Finland och i de baltiska länderna. Organisationen bistår med information som stöder ambitionen att utveckla kortmarknaden. Medlemmarna är Nordea Bank, SWEDBANK, Danske Bank, Svenska Handelsbanken, Skandinaviska Enskilda Banken, Visa Sweden Förening, Föreningen Europay Sweden, PBS AS.