Connect with us

Hi, what are you looking for?



PCI Security Standards Council Publishes Guide for Securing Terminal Software

The PCI Security Standards Council (PCI SSC) published guidance today on the secure development and maintenance of software designed to run on point-of-interaction (POI) devices.  

The PCI Security Standards Council (PCI SSC) published guidance today on the secure development and maintenance of software designed to run on point-of-interaction (POI) devices.  

POI devices are hardware or software components in point-of-sale equipment that allow a consumer to use a credit card to make a purchase, such as a PIN pad. According to the PCI SSC, the document is intended to address software that exists on POI devices, including payment and non-payment applications, and reinforce the importance of a layered approach to security.

“The goal of this document is to ensure that all organizations responsible for software development (and device management) understand the potential threats, and employ appropriate processes throughout the development life cycle to counter those threats,” according to the document. “The processes followed will depend on the organization, the type of application being developed, and the software languages used, but the principles remain the same.”

The document is meant to help organizations – including POI device vendors – that write or implement applications within a POI device understand the threats and counter them throughout the development lifecycle, according to the PCI SSC. It also comes at a time when cybercriminals have increasingly been paying attention to point-of-sale devices and targeting both retailers as well as vendors of point-of-sale devices (PoS). 

“Criminals are looking at every aspect of a payment transaction to find ways for data exfiltration,” said PCI SSC Chief Technology Officer Troy Leach, in a statement. “While consumers and merchants alike benefit from additional features, complexity and increasing dependency on third-party applications can create new opportunities for exploit which is why due diligence is so vital in the development of software that terminals rely upon. This paper highlights important best practices for software coding in this unique environment.”

According to the PCI SSC, organizations can use this guidance to help ensure standard secure coding practices are followed, including:

Security awareness training that supports secure software development:

Advertisement. Scroll to continue reading.

• Those involved in the development process (including software developers and peer reviewers), have important roles to play in developing software to ensure secure coding practices are implemented and address current threats. Those roles need to be defined before development begins and those individuals need to be trained and understand the secure software development program.

Secure software development lifecycle:

• Organizations need to have a software security roadmap defined before development begins that will address known threats. The software needs to be mapped and documented, and rules and processes defined so that security is implemented as part of the development process and not incorporated as an afterthought.

Device-level testing:

• It is imperative to understand how the application will work when used with the hardware, firmware, and other applications that it is intended for use with. While simulators and unit testing are essential, testing the device with the complete solution should be a priority.

Internal process reviews:

• The threat environment is constantly evolving which is why organizations need to stay current on the latest threats and changes to ensure the procedures in place are still sufficient and are actually being followed.

Michael Belton, team lead of assessment services at Rapid7, said that for an average retailer, performing hardware and software security testing on a product they purchased is cost-prohibitive.

“Security awareness training for developers, along with secure software development lifecycle practices, help ensure consistency across developers working on an application,” he said. “This consistency in security design and expectations means applications are released with fewer bugs that can be exploited. Penetration testers encounter issues related to security lifecycle practices every time they perform an assessment. These two items are perhaps the most critical challenges towards creating software that operates in a secure and predictable manner.”

The document can be read here.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...