PCI PIN Security v3.1

PIN Security Requirements:
1-1 The entity acquiring PIN-based transactions is responsible for maintaining information sufficient to demonstrate the use of approved devices. For each individual device, the minimal information elements are indicated below (in line with PCI PIN Requirement 30, PCI PIN Requirement 33, and PCI DSS Requirement 9.9.1): 

The POI device information must include the following summary information 

Note: The addition of applications that replace or disable the PCI evaluated firmware functionality invalidates the device approval for each such implementation unless those applications are validated for compliance to PTS POI Security Requirements and listed as such in the approval listings.
Testing Procedures:
1-1 Testing Procedures applicable to POI devices (PCI PTS standards):
1-1.a Obtain the POI device information. Check for the completeness of the information.
1-1.b Compare the information against the list of approved PTS devices at www.pcisecuritystandards.org to determine which POI devices used are PCI approved and are listed, with a valid PCI approval number on the PCI SSC website.
1-1.c For devices identified as PCI approved, verify that all of the following POI device characteristics match the PCI PTS listing. 

1-1.d For a sample of the PCI-approved devices, verify that the device displays the firmware version and either displays or has a label with the hardware version number.
Note: PCI-approved devices must show the same version numbers of hardware and firmware as have been approved and are shown in the list of approved devices. If it is not displayed, the hardware number must be shown on a label attached to the device. The firmware and application version numbers, and optionally the hardware version number, must be shown on the display or printed during startup or on request. This includes all modules addressed in testing, including SRED and Open Protocols. For unattended devices, the focal point is the PIN-entry vehicle.
1-1.e Using the sample above, identify all other software (applications) on the device and that software’s functionality and verify that the software does not replace or disable the PCI-evaluated firmware functionality unless that software is also validated and PCI approved as shown on the PCI website.
Note: The entity acquiring PIN-based transactions is responsible for identifying all software on the device that has been added subsequent to the device’s approval. Any such software should be developed in accordance with the device vendor’s security guidance, which stipulates what is and is not allowed⎯e.g., replacing the device’s PCI evaluated IP stack with an IP stack bundled with the add-on application would invalidate the approval. See PTS POI Technical Frequently Asked Questions, General FAQ #42, for additional information.