Registration Steps and Solutions

To simplify the process of validating a specific payment solution for vendors, PNC and our members have developed a set of validation forms that make the validation easy. The PNC validation forms clarify the Visa and MasterCard security requirements for card payment products. Vendors validate their products by using these forms to ensure that their products fulfil the security requirements.

Below, you can find the validation steps and forms for different solutions. New software versions and hardware versions are to be validated. Follow the steps below.

 

  • Terminals and Electronic Cash Registers

  • Unattended Payment Terminals

  • Security Design for Terminals

Terminals and Electronic Cash Registers Validation Steps
1. Use terminals that cannot release cardholder data

The terminal vendor makes sure that the terminal is End-to-End Encryption (E2EE)-validated and listed on List 1. The process and the forms to validate the terminal are found in the E2EE – Terminal documents (E2EE Process, E2EE Terminal Form).

The terminal must also fulfil the requirements listed in the document: Visual Shield

2. Use electronic cash registers that do not handle any cardholder data

The ECR vendor only uses End-to-End Encryption (E2EE) terminals on List 1 and validates that the ECR does not handle electronic cardholder data.

  • The Payment Service Provider (PSP) fills in part 2 of the self assessment form.
  • The PSP sends the form to the ECR vendor who completes it and returns it
    to the PSP.
  • The PSP sends the form and registration information to PNC.
  • PNC lists Self Assessed ECR on List 2.

E2EE Process  List 1 Self Assessment Form

E2EE Terminal Form Visual shield List 2 

Unattended Payment Terminal Validation steps

1. Use terminal components that cannot release cardholder data

The terminal vendor makes sure that the payment terminal components are E2EE-validated and listed on List 3. The process and the forms to list the terminal component are found in the E2EE – Terminal Component documents (E2EE Process, E2EE Terminal Form).

2. Use UPT Software that do not handle any cardholder data

The UPT Software vendor only uses E2EE terminal components listed on List 3 and validates that the UPT Software does not handle electronic cardholder data.

  • The Payment Service Provider (PSP) fills in part 2 of the self assessment form.
  • The PSP sends the form to the ECR vendor who completes it and returns it
    to the PSP.
  • The PSP sends the form and registration information to PNC.
  • PNC lists Self assessed UPT Software on List 4

3. Use a secure exterior shield

The exterior shield vendor makes sure that the exterior shield is validated by a third party auditor. The exterior shield vendor and the third party auditor confirm in the
Exterior shield form that:

  • Only E2EE terminal components listed on List 3 are used.
  • The E2EE terminal components are installed according to the terminal vendor’s guidelines.
  • The exterior shield is preventing other than the cardholder from
    seeing the PIN.
  • The merchant is getting a clear manual for daily inspections to ensure that the exterior shield has not been modified by criminals since the last inspection. A template in found can be found on Exterior Shield Template.
  • PNC lists secure exterior shields on List 5.

E2EE Process  List 3 E2EE Terminal UPT Form

Self Assessment Form List 4 List 5 Exterior Shield Form

Security Design for Terminals, Encrypting PIN Pad and Encrypting Card Readers

Validation Steps

The terminal manufacturers ensure that:

  • Terminals fulfil the Visual shield and keyboard layout requirements found in the following the Visual Shield and Keyboard Layout documents.
  • Terminals, encrypting PIN pad and encrypting card readers are assessed by a third party auditor according to the security assessment form.

The objectives are to prevent visual observation of PIN being entered by the cardholder and to get information about the product design.

PNC lists Terminals, encrypting PIN pads and encrypting card readers that have been validated to fulfil the security design requirements on List 6.

PNC lists Terminals, encrypting PIN pads and encrypting card readers that the manufacturer’s test lab has validated to fulfil the security design requirements for listing on List 6.

For POI/UPT components assessed using PCI PTS v4.x or 5.x., QSAs will use the PCI listings and the manufacturers Security Policy documentation for devices not in List 6. Optionally, manufacturers may choose to have their test lab to submit the Security Design form as well.

E2EE Terminal Form List 6 Visual Shield Keyboard layout

PNA Card Service AB
Stortorget 13 B
S-211 22 Malmö

+46 40 250778
mail@pan-nordic.org