0

According to PCI-DSS requirement 3.5.2:

We should store secret keys in a cryptographic device.

Cryptographic devices:

1.HSM

2.PTS-approved point of interaction device

My questions:

I have some knowledge about HSM and it encrypts the KEK using Master key. Also read about Thales HSM and I'm aware about it. But when I was looking into PTS, I can't understand it.

  1. What is PTS and is that a device like a HSM?

  2. How does PTS differs from HSM?

  3. Which is the best practice among HSM and PTS?

RajeshKannan
  • 585
  • 2
  • 7
  • 12

1 Answers1

2

Very, very simple and in very simple words:

  1. HSM: is an appliance that manages keys. HSM Applicane
  2. PTS: is basically a card reader which allows you to enter a PIN number. PTS Device

I forgot to "actually" answer the other two questions but I guess that an image is worth a thousand words =)

kiBytes
  • 3,450
  • 15
  • 26
  • What you show is a PoS (Point of Sales), not a PTS. PTS is the name of the PCI spec that applies to PoS (and PoI in general). – Gilles 'SO- stop being evil' Feb 25 '14 at 20:31
  • @Gilles I believe he refers to the so called in the PCI-DSS PTS-dev, but I might be wrong. – kiBytes Feb 25 '14 at 20:39
  • @kiBytes Could you please confirm that second image you have mentioned for PTS is POS or PTS....does POS and PTS are same – RajeshKannan Feb 26 '14 at 05:39
  • PTS by itself means "PIN transaction security", but when you are referring to the "devices", then they are usually called point of interaction, I believe that if you are comparing HSM and PTS I believe you are referring to PTS devices, and the point of sales you see in the picture is a good example of a PTS-dev. – kiBytes Feb 26 '14 at 06:48