Can someone enlighten me on PCI DSS requirements for magnetic strip readers? I was doing research on a USB connected reader which does not seem to encrypt from the device to the terminal. A group wants to deploy these devices as a stop-gap until the manufacturer releases an upgraded version which is designed to meet PCI DSS. It appears that only this manufactures product is supported by the acquired payment application.

As far as I'm aware, there is no requirement for MSR's to encrypt CHD at all. There are MSRs that will do this, but there is no requirement in PCI-DSS. The data from the MSR needs to be encrypted when it reaches whatever application the MSR is sending the data to.

Most MSRs just dump the track data directly into the PC's keyboard buffer and the application grabs that data from there.

If you want to use the MSRs that encrypt the card data before it sends it anywhere, you application needs to develop an interface to that MSR.

One other option is to use straight serial MSRs, not USB or PS2. With serial connections only 1 application or process can have the com port open at any one time, so there is no chance of like a keyboard sniffer/man-in-middle attack on the CHD from the MSR to the application.