Contrasting PED/EPP with MSR Requirements?

[PCIParanoid]

We currently have MSR's in our environment (Magnetic Strip Readers). The PCI-PED Security requirements state that we need to inventory PED's (obtain and track information about each PED device and comply with a list of approved PED devices) but it does not talk about MSRs and how they are handled.

So I have three questions about MSRs please:

1) Are MSR's supposed to be treated the same way as PEDs and follow the PCI-PED standards?

2) More specifically, are MSR's supposed to be inventoried/documented like the PEDs? Are they supposed to have a list of approved "MSR" devices like PEDs do?

3) If they are not supposed to be treated the same as PED's, why?



TIA for patience and help!

[andrewj]

No, MSR's that are not contained in a PIN entry device are not _required_ to be treated in the same way as PEDs. However, for good business practice, you may still want to keep track of them and make sure they do not start sprouting strange attachments.

There is no requirement, or even program, for the approval of MSRs. The security of the card reader in PIN Entry Devices is assessed in the newer v2.x standards, and will be in the Unattended Payment Terminal (UPT) and ATM standards when they are published. MSR security was not assessed in the v1.x PCI PED standard.

This is one of the reasons why separate MSR readers are not required to be treated like PEDs - until recently, even the card readers in PEDs themselves were not assessed for security. PCI may decide at some point that MSR security is required for all devices, but if they do, it will not be a part of the PED program (as this is specifically, and only, for PIN Entry Devices, and cannot be applied to just a card reader).