Post-Compliance Testing for PCI PTS

PCI PTS post-compliance testing is how payment service providers (PSPs) and payment device manufacturers ensure that a device is safe long after

The PIN pad, POS terminal, or hardware security module passed a PCI Recognized Laboratory’s review of its firmware architecture, its resistance to physical tampering, and its handling of PINs and keys.

That PTS approval is a snapshot. It’s tested against the threats known at the time of evaluation, and it’s typically valid for three years. The device itself often stays in use far longer than that snapshot is valid. In fact we can consider devices to be a static target, they sit for years often processing transactions at thousands of locations while attackers keep working on new techniques.

PCI PTS post-compliance testing, as delivered by specialist companies like PCA Cyber Security, is how manufacturers and PSPs, ensure true cybersecurity resilience.

What is PCI PTS Post-Compliance Testing?

Post-compliance testing is testing of a PTS approved device after it is certified and (often) after it is already deployed. Only a handful companies (like PCA cybersecurity) have the skills and experience to perform this kind which can involve everything from network pen testing to firm engineering – real threats that devices face in the wild.

Here’s how post and pre compliance testing differ.

  • Pre-compliance testing catches problems before a device goes in front of a lab,
  • post-compliance testing is ongoing payment device testing performed throughout the device’s working life, not a one-time check.

We can see the use case for this testing in three steps:

  1. a) Find vulnerabilities that emerge after certification, whether from new attack techniques, firmware updates, or components that were never in scope of the original PTS evaluation
  2. b) Confirm that patches and updates applied after launch haven’t introduced new weaknesses
  3. c) Validate that the device still holds up against real attackers for the full window it stays in the field, not just at the moment of approval

Testing Should Not Stop at Approval

After a device ships it becomes a static target with a large attack surface. Even if it is secure against current attack vectors, it can rapidly become vulnerable as new ones emerge or are trialled in the field.

The devices themselves keep running past their three-year approval window, often well past it, while the threat landscape keeps moving. Emerging risks like quantum computing’s long-term threat to encryption, stricter TR-31 key-block management requirements, and legacy hardware that hasn’t kept pace with modern controls all apply to devices that are already deployed and already certified.

Penetration testing of PCI PTS approved terminals from manufacturers including NCR, Verifone, Ingenico, and PAX has turned up CVEs in devices that had already cleared certification and were already in the field. Those findings come from continued, adversarial testing after approval.

Here we break look at the “why” of post PTS compliance testing from the perspective of the two groups who need to invest in this testing:

Payment Device Manufacturers

Once a device is certified, the manufacturer’s risk changes. A vulnerability discovered in a fielded device is more expensive and more damaging than one caught pre-launch. A vulnerable deice can mean a recall, a re-certification effort, and reputational fallout across every customer running that terminal.

Post-compliance testing gives manufacturers a way to catch these issues on their own terms, before an attacker or a headline does it for them. It also builds the evidence base needed for the next re-approval cycle, since a device that’s been continuously tested against current attack techniques is in a stronger position than one that’s untouched since its original certification.

Payment Service Providers

PSPs inherit the risks of a device and add on some more. One of these is that the integrations around a certified device do not stay static. Backend systems change, middleware gets updated, remote-management tools get added or reconfigured, and each of those changes can open a path that didn’t exist at initial deployment.

None of that is covered by the device’s original PTS approval and will not be re-evaluated unless there is an investment in ongoing testing. Indeed, ongoing payment device testing is how PSPs catch integration drift and configuration changes before they turn into an outage, a data exposure incident, or a strained relationship with an acquiring bank.

What Companies Do PCI PTS Post-Compliance Testing?

PCI Recognized Laboratories certify devices against the PTS standard at a point in time. They aren’t set up to continuously test a device across years of field deployment, and that was never their role. Post-compliance testing is a different discipline: ongoing adversarial simulation against devices that are already live, run by teams built around offensive security research rather than certification checklists.

The leading company in the PCI PTS Post-Compliance Testing space is PCA Cyber Security. The firm runs both pre-compliance and post-market penetration testing for embedded payment systems, POS/PTS terminals, PIN pads, unattended payment terminals, and mobile payment applications, working with manufacturers, payment service providers, and financial institutions throughout a device’s lifecycle rather than at a single certification checkpoint.

The PCA Cyber Security team holds TISAX accreditation, is a registered Associate Participating Organization at the PCI Security Standards Council, and has competed at Pwn2Own Automotive. Its research has been directly credited with uncovering CVEs in devices that had already passed PTS approval and were already deployed.

LEAVE A REPLY

Please enter your comment!
Please enter your name here