Registration Steps and Solutions
To simplify the process of validating a specific payment solution for vendors, PNC and our members have developed a set of validation forms that make the validation easy. The PNC validation forms clarify the Visa and MasterCard security requirements for card payment products. Vendors validate their products by using these forms to ensure that their products fulfil the security requirements.
Below, you can find the validation steps and forms for different solutions. New software versions and hardware versions are to be validated. Follow the steps below.
-
Terminals and Electronic Cash Registers
-
Unattended Payment Terminals
-
Security Design for Terminals
Terminals and Electronic Cash Registers Validation Steps
1. Use terminals that cannot release cardholder data
The terminal vendor makes sure that the terminal is End-to-End Encryption (E2EE)-validated and listed on List 1. The process and the forms to validate the terminal are found in the E2EE – Terminal documents (E2EE Process, E2EE Terminal Form).
The terminal must also fulfil the requirements listed in the document: Visual Shield
2. Use electronic cash registers that do not handle any cardholder data
The ECR vendor only uses End-to-End Encryption (E2EE) terminals on List 1 and validates that the ECR does not handle electronic cardholder data.
- The Payment Service Provider (PSP) fills in part 2 of the self assessment form.
- The PSP sends the form to the ECR vendor who completes it and returns it
to the PSP. - The PSP sends the form and registration information to PNC.
- PNC lists Self Assessed ECR on List 2.
Unattended Payment Terminal Validation steps
1. Use terminal components that cannot release cardholder data
The terminal vendor makes sure that the payment terminal components are E2EE-validated and listed on List 3. The process and the forms to list the terminal component are found in the E2EE – Terminal Component documents (E2EE Process, E2EE Terminal Form).
2. Use UPT Software that do not handle any cardholder data
The UPT Software vendor only uses E2EE terminal components listed on List 3 and validates that the UPT Software does not handle electronic cardholder data.
- The Payment Service Provider (PSP) fills in part 2 of the self assessment form.
- The PSP sends the form to the ECR vendor who completes it and returns it
to the PSP. - The PSP sends the form and registration information to PNC.
- PNC lists Self assessed UPT Software on List 4
3. Use a secure exterior shield
The exterior shield vendor makes sure that the exterior shield is validated by a third party auditor. The exterior shield vendor and the third party auditor confirm in the
Exterior shield form that:
- Only E2EE terminal components listed on List 3 are used.
- The E2EE terminal components are installed according to the terminal vendor’s guidelines.
- The exterior shield is preventing other than the cardholder from
seeing the PIN. - The merchant is getting a clear manual for daily inspections to ensure that the exterior shield has not been modified by criminals since the last inspection. A template in found can be found on Exterior Shield Template.
- PNC lists secure exterior shields on List 5.
Security Design for Terminals, Encrypting PIN Pad and Encrypting Card Readers
Validation Steps
The terminal manufacturers ensure that:
- Terminals fulfil the Visual shield and keyboard layout requirements found in the following the Visual Shield and Keyboard Layout documents.
- Terminals, encrypting PIN pad and encrypting card readers are assessed by a third party auditor according to the security assessment form.
The objectives are to prevent visual observation of PIN being entered by the cardholder and to get information about the product design.
PNC lists Terminals, encrypting PIN pads and encrypting card readers that have been validated to fulfil the security design for E2EE requirements on List 1.
PNC lists Terminals, encrypting PIN pads and encrypting card readers that the manufacturer’s test lab has validated to fulfil the security design requirements for listing on List 1.
For POI/UPT components must have a PCI PTS v4.x approval or higher.