Everything you need to know about implementing PTS v7.0 devices into your payment solution

The payments industry is preparing for significant changes with the introduction of PCI Payment Terminal Security (PTS) version 7. These new requirements will reshape how Point-of-Interaction (POI) devices operate, introducing enhanced security measures and new application architectures that payment service providers must understand and prepare for.

View the full webinar: 

Four Key Areas of Change in PTS Version 7

PCI PTS version 7 introduces changes across four main areas that will impact manufacturers, payment service providers, and application developers:

1. Enhanced Device Security Cryptography

The new standard requires cryptographic implementations to maintain at least 128 bits effective key strength for device security functions. This requirement specifically applies to:

• Firmware authentication processes
• Internal POI device security mechanisms
• Secure storage

Notably, this change eliminates TDES from device security functions, as TDEA keys don't provide the required 128-bit effective key strength. However, card data encryption and PIN encryption can continue using TDEA in accordance with other standards like PCI PIN and PCI P2PE.

2. TLS Protocol Requirements

PTS version 7 devices that implement an IP stack must support TLS 1.3 or higher and prevent the use of weaker versions like TLS below version 1.2. Although TLS 1.2 can be supported, all cipher suites must provide at least 128 bits of effective key strength, which eliminates many TLS 1.2 cipher suites that rely on weaker encryption methods like TDES, certain RSA implementations, and CBC modes.

This requirement aligns with broader industry trends toward stronger encryption, though it may require application updates for service providers still using deprecated cipher suites.

3. Third-Party Application Sandboxing

Another significant change introduced is that devices must now restrict third-party applications from accessing cleartext PAN or PIN data, even with whitelisting. Environments that can run third-party apps must be fully segregated from those handling sensitive data.

A new requirement explicitly prohibits the output of cleartext account data to any third-party application execution environment. This creates separate execution spaces for:

• Payment applications (secure environment)
• Non-payment applications like loyalty programs (sandboxed environment)

While this separation enhances security, it raises important questions about data sharing between applications. For example, how will loyalty applications access card data read through the device's card reader? The implementation details of this sandboxing could significantly impact application architecture and development.

4. Biometric Reader Requirements

PTS version 7 introduces new requirements for biometric readers, including security standards for:

• Biometric data storage and protection
• Reader integrity verification
• Key management for biometric encryption

These requirements signal the industry's movement toward biometric cardholder verification methods (CVM) as alternatives to traditional PIN entry, though they also raise privacy concerns about biometric data collection, storage, and sharing.

Impact on Payment Service Providers

TLS Configuration Challenges

Service providers operating mixed environments with both PTS version 7 and legacy devices will need to carefully manage TLS configurations. While TLS 1.2 remains acceptable for older devices under current PCI DSS requirements, PTS version 7 devices will enforce the new, stronger requirements.

The transition may require application updates to ensure compatibility with stronger cipher suites and could impact performance, particularly as organizations move away from RSA toward elliptical curve cryptography to maintain acceptable performance levels.

Third-Party Application Architecture

The new sandboxing requirements may present complex implementation challenges. Current application architectures that relies on memory sharing between payment and non-payment applications may no longer work. Alternative communication methods like loopback addresses for IP stack communications may be required.

Key concerns include:

• Data sharing limitations: How will loyalty applications receive necessary transaction data while maintaining security boundaries?
• IP stack management: Should non-payment applications use the secure OP module or standard Java IP libraries? Each approach presents different security trade-offs.
• Android device implications: The open architecture of Android-based terminals introduces additional complexity in managing application segmentation.

Preparing for PTS Version 7

Immediate Actions

Engage with device manufacturers to understand specific implementation details and timelines. Different manufacturers may implement sandboxing and application segmentation differently, requiring tailored preparation strategies.

Assess current applications for TLS compatibility and third-party application dependencies. This evaluation should include both payment and non-payment software to identify necessary updates.

Involve development teams early in planning discussions to understand the scope of potential application changes and development timelines.

Long-term Considerations

The changes introduced in PTS version 7 reflect broader industry evolution toward enhanced security and new payment methods. Organizations should consider these requirements not just as compliance obligations but as strategic opportunities to modernize payment infrastructure.

Application re-architecture may take several months, making early engagement with manufacturers and development partners crucial for smooth transitions.

Looking Ahead

PTS version 7 represents a significant step forward in payment terminal security, addressing modern threats while enabling new payment methods. However, the transition will require careful planning, particularly around third-party application integration and TLS implementation.

Payment service providers should begin evaluation processes now to understand how these changes will impact their specific environments and applications. The complexity of application sandboxing and the variability in manufacturer implementations make early preparation essential for maintaining operational continuity during the transition.

The payments industry has relied on encryption methods developed in the late 1970s for nearly 50 years. PTS version 7 signals a crucial modernization effort that will enhance security but requires proactive preparation to ensure successful implementation.