Validation

To simplify the process of validating a specific payment solution for vendors, PNC and our members have developed a set of validation forms that make the validation easy. The PNC validation forms clarify the Visa and MasterCard security requirements for card payment products. Vendors validate their products by using these forms to ensure that their products fulfil the security requirements.

Below, you can find the validation steps and forms for different solutions. New software versions and hardware versions are to be validated. Follow the steps below.

Terminals and Electronic Cash Registers (ECR)

Validation steps:

1. Use terminals that cannot release cardholder data

The terminal vendor makes sure that the terminal is End-to-End Encryption (E2EE)-validated and listed on List 1. The process and the forms to validate the terminal are found in the E2EE - Terminal documents (E2EE Process, E2EE Terminal Form).

2. Use Electronic Cash Registers (ECR) that do not handle any cardholder data

The ECR vendor only uses End-to-End Encryption (E2EE) terminals on List 1 and validates that the ECR does not handle electronic cardholder data.

  • The Payment Service Provider (PSP) fills in part 2 of this form
  • The PSP sends the form to the ECR vendor who completes it and returns it to the PSP.
  • The PSP sends the form and registration information to PNC.
  • PNC lists Self Assessed ECR on List 2.

Unattended Payment Terminals (UPT)

The Unattended Payment Terminal is a self-service device where the cardholder can perform card payments. It consists of three different parts with separate functions:

  • The payment terminal components (encrypting card reader, encrypting PIN PAD, etc.) used for making the card payment
  • The UPT software (for touch display, receipt printer, etc.) used for selecting the goods or the services, initiating the payment and providing the receipt
  • A secure exterior shield that protects the payment terminal components from being removed or changed, and prevents the PIN from being attained by others

Validation steps:

1. Use terminal components that cannot release cardholder data

The terminal vendor makes sure that the payment terminal components are E2EE-validated and listed on List 3. The process and the forms to list the terminal component are found in the E2EE - Terminal Component documents (E2EE Process, E2EE Terminal Components Form).

2. Use UPT Software that do not handle any cardholder data

The UPT Software vendor only uses E2EE terminal components listed on List 3 and validates that the UPT Software does not handle electronic cardholder data.

  • The PSP fills in part 2 in this form.
  • The PSP sends the form to the UPT Software vendor who completes it and returns it to the PSP.
  • The PSP sends the form and registration information to PNC.
  • PNC lists Self Assessed UPT Software on List 4.

3. Use a secure exterior shield

The exterior shield vendor makes sure that the exterior shield is validated by a third party auditor.

The exterior shield vendor and the third party auditor confirm in the form Exterior shield that:

  • Only E2EE terminal components listed on List 3 are used.
  • The E2EE terminal components are installed according to the terminal vendor’s guidelines
  • The exterior shield is preventing other than the cardholder from seeing the PIN
  • The merchant is getting a clear manual for daily inspections to ensure that the exterior shield has not been modified by criminals since the last inspection. A template in found can be found on Exterior Shield Template.
  • PNC lists secure exterior shields on List 5.

Third party auditors are found in the document Third party auditors .

Security design for terminals, encrypting PIN pad and encrypting card readers

Validation steps:

The terminal manufacturers ensure that:

  • Terminals fulfil the Visual shield and keyboard layout requirements found in the following two documents Visual Shield and Keyboard Layout.
  • Terminals, encrypting PIN pad and encrypting card readers are assessed by a third party auditor according to the following form.

The objectives are to prevent visual observation of PIN being entered by the cardholder and to get information about the product design.

PNC lists Terminals, encrypting PIN pads and encrypting card readers that have been validated to fulfil the security design requirements on List 6.

PNC lists Terminals, encrypting PIN pads and encrypting card readers that the manufacturer's test lab has validated to fulfil the security design requirements for listing on List 6.

For POI/UPT components assessed using PCI PTS v4.x or 5.x., QSAs will use the PCI listings and the manufacturers Security Policy documentation for devices not in List 6. Optionally, manufacturers may choose to have their test lab to submit the Security Design form as well.