Approval numbers are assigned by PCI SSC at the time of approval and remain the same for the life of the device's approval.
This field may be used to place any additional pertinent information. For example, when a vendor has changed the status of a device to end-of-life (EOL), as delineated in 5.4, “Approval-Listing Fee,” and thus the device is no longer available for purchase except for maintenance purposes. Devices with EOL status are no longer supported by the vendor and no deltas are processed for those devices. The date and month of the EOL will be listed on the Website
This will also be used for v2, v3 and v4 HSMs to delineate whether they are approved for restricted or unrestricted usage as delineated in the HSM Security Requirements:
Devices supporting ISO PIN Block Format 4 (AES) will be noted here. For additional information on whether the MK/SK, DUKPT or Fixed Key methodologies are supported for AES PIN Blocks, see the Key Management section. POI v5 and higher devices supporting online PIN and HSM v4 and higher devices supporting PIN processing are required to support ISO PIN Block Format 4.
This field will also be used for notation for POI v6 and higher devices supporting Bluetooth and/or Wi-Fi that have been architected and evaluated to support unauthenticated wireless communications using those technologies.
In addition, v4 HSMs that meet additional criteria to support remote-e.g., non-console-administration for configuration and cryptographic key loading, will be noted here as “Remote-managed HSM.” Requirements for Remote-managed HSMs are a subset of those for Multi-tenant HSMs.
Devices must support key blocks using the ANSI X9.143 key-derivation methodology for TDES keys, and for AES keys, must support either the X9.143 methodology or the ISO 20038 methodology. In either case, equivalent methods can be used where subject to an independent expert review and where that review is publicly available. The link provided here is where a vendor who implements a proprietary method has had that method validated in accordance with PCI-prescribed criteria as equivalent.
The Approval Class is used by PCI to ensure that its payment security device approvals accurately describe today's ever-evolving designs, architectures, and implementations. All POIs and HSMs approved by PCI SSC in the framework of the PCI PTS Device Security Evaluation Program, regardless of the designated Approval Class, carry PCI's full approval status. Financial institutions, or their designated agents (e.g., merchants or processors), should make sure that they understand the different classes, as they represent how the payment security device has met the PCI PTS Device Security Requirements. Detailed Approval Class Descriptions can be found in the Device Approval & Testing Guide.
(PED, RAP, UPT)
"Approved components" contains, when relevant, the list of approved components that are part of the approved device, and which have successfully undergone a distinct evaluation. Each component is listed with its approval number.
The use of a device with components e.g., EPPs, card readers that are different than that listed as an approved component for that device invalidates that device’s approval.
RAP devices may be listed as an approved component of one or more associated HSMs. For v4 and higher HSMs, the HSM must be validated to the Remote-Managed HSM requirements.
Version refers to the version of the security requirements the device has been evaluated against. Each approval class may follow its own version release schedule.
The expiration date for PCI-approved devices is the date upon which the device's approval expires. All device approvals expire
in accordance with the schedule below, except for SCRPs.
For SCRPs the approvals will expire five years after the date of approval.
Requirements Version Used |
Expiration of Requirements |
Approval Expiration of Device Models |
Version 4.x of PCI HSM Security Requirements |
December 2025 |
April 2032 |
Version 6.x of PCI PTS POI Security Requirements |
June 2025 |
April 2031 |
Version 5.x of PCI PTS POI Security Requirements |
June 2021 |
April 2026 |
Version 3.x of PCI HSM Security Requirements |
December 2022 |
April 2026 |
Version 4.x of PCI PTS POI Security Requirements |
September 2017 |
April 2024 |
Version 2.x of PCI HSM Security Requirements |
June 2017 |
April 2022 |
Version 3.x of PCI PTS POI Security Requirements |
April 2014 |
April 2021 |
Version 1.x of PCI HSM Security Requirements |
April 2013 |
April 2019 |
Version 2.x of PCI PED or EPP Security Requirements |
April 2011 |
April 2017 |
Version 1.x of PCI UPT Security Requirements |
April 2011 |
April 2017 |
Version 1.x PCI PED or EPP Security Requirements |
April 2008 |
April 2014 |
Approvals for PCI-evaluated devices expire six years past the effective date of a subsequent major (5.0, 6.0, etc.) update of the applicable PCI security requirements.
POI v6 firmware expires three years from the date of approval, but shall not expire past the overall approval expiration of the device.
(EPP, PED, SCR, SCRP, UPT)
"PIN Support"denotes the type of PIN entry verification that can be supported by the POI.
"Online" represents that the POI has the capability to support online PIN verification by the payment card's issuer or its designated processor. To pass testing, POIs that support online PIN entry must support the use of TDES or AES to protect the PIN. Additionally, if the PIN needs to be protected during transport in nonintegrated offline POIs, then the POI must support the use of TDES or AES for that channel. "Offline" means that the POI has the capability to support offline PIN verification by the payment card's integrated chip.
Unless otherwise noted, the "Offline" designation, without any suffix, in the PCI PTS Device Approval List represents that the POI has the capability to support both plaintext and enciphered offline PIN verification. The "Offline (p)" designation with the "(p)" as a suffix represents that the offline POI has the capability of performing only plaintext offline PIN verification.
However, under current testing, all newly evaluated offline POI devices must support both plaintext and enciphered PIN verification. SCRs or other POI devices that include an ICCR or hybrid reader must have an "Offline" designation in order to be used for offline PIN acceptance.
Note:
All newly approved offline PIN verification POIs must support both plaintext and enciphered PIN verification.
(EPP, PED, SCRP, UPT, SCR)
"PIN encryption key management" denotes whether the Laboratory has successfully evaluated the payment security device to support the use of Triple DES (TDES) or AES for PIN encryption for online PIN. TDES requires use of at least a double-length key.
A MK/SK (master key, session key), DUKPT, and/or Fixed designation denote that the device has been evaluated successfully to support the implementation of TDES for that particular key-management method(s).
Where AES is used, that will be explicitly noted in conjunction with the MK/SK, DUKPT and/or Fixed Key methodologies.
Note: DUKPT is the only unique key per transaction (UKPT) algorithm (ANSI X9.24) that PCI SSC recognizes and approves; all other forms of UKPT tested by the Laboratory will not be depicted in the approval letter or on "Approved PTS Devices" on the Website.
Note: POI v5 and v6 devices used for online PIN must support ISO PIN Block Format 4 (AES).
Note: Fixed Key is not allowed for POI v6 and higher devices.
This is for POI devices supporting the entry of online PINs, and in general, this will be N/A for devices in the Non-PED or SCR approval classes and will be N/A for offline PIN-only devices. SCRPs can indirectly support online PIN in connection with mobile-based solutions via PIN translation.
PIN Encryption Key Management is only applicable for SCRs where the SCR does PIN translation in connection with sending the PIN online to a host.
(EPP, PED, SCR, SCRP, UPT)
"SRED key management" denotes whether the Laboratory has successfully evaluated the payment security device to support the use of Triple DES (TDES) or AES for Account Data encryption. TDES requires use of at least a triple-length key or DUKPT for account data encryption.
A MK/SK (master key, session key), DUKPT and/or Fixed designation denote that the device has been evaluated successfully to support the implementation of TDES for that particular key-management method(s).
Where AES is used, that will be explicitly noted in conjunction with the MK/SK, DUKPT and/or Fixed Key methodologies.
Note: Fixed Key is not allowed for POI v6 and higher devices.
Format-preserving encryption (FPE) shall be denoted where one of the ANSI, ISO or NIST approved algorithms are used.
Note: The FPE notation is only presented for POI v6 and higher devices.
(PED, EPP, UPT)
Vendor-controlled: The end-user, acquirer, or reseller cannot modify the POI's firmware or POI's payment application to make changes to the device's prompts or PIN-entry controls. Only the POI's original equipment manufacturer has the capability to modify the prompts and controls for PIN entry.
Acquirer-controlled: The original equipment manufacturer has shipped the POI with mechanisms for controlling the POI display and its use in place. These mechanisms can be employed to unlock the POI for updates of the prompts by the acquirer, using proper cryptographically controlled processes as defined in the applicable POI security requirement. The reseller or end-user, if authorized by the acquirer, can also make updates using proper cryptographically controlled processes.
Not applicable for devices without a display.
Devices must be deployed locked. In any case, the acquiring customer is always responsible to ensure that appropriate processes and documented procedures are in place to control the POI display and usage.
(PED, EPP, UPT)
"PIN-entry technology" denotes which technology is implemented in order to capture the cardholder PIN. The value for this field can be:
A device cannot support both a physical keypad version and a touchscreen version under the same approval where both can be used for PIN entry. It may support a device that has both interfaces in connection with providing support for national or local disability laws.
(EPP, HSM, Multi-tenant HSM, non-PED, PED, SCR, SCRP, UPT)
"Functions provided" denotes which of the following functions are supported by the device. One or more of the following may apply, depending on the implementation:
Note:
Contactless readers are only considered compliant for P2PE usage if the device in question has been validated to SRED.
Furthermore, some device approvals may have versions validated to SRED and some that are not. Where such a mix occurs, only devices using a firmware version designated for SRED are validated to meet the contactless reader security requirements. For devices with contactless readers using firmware that is not validated to SRED, the contactless readers are not validated to any security requirements.
Company | Approval Number | Product Type | Version | Expiry Date | PIN Support | PIN Encryption Key Management | SRED Key Management | Prompt Control |
PIN Entry Technology |
Functions Provided | Additional Information | |
---|---|---|---|---|---|---|---|---|---|---|---|---|
Ingenico | ||||||||||||
Move/2500 | ||||||||||||
Hardware #: MOV25AP, MOV25BP, MOV25CP, MOV25DP, MOV25EP, MOV25FP, MOV25GP, MOV25HP Firmware #: 820547v01.xx, 820376v01.xx, 820555v01.xx (SRED), 820549v01.xx (SRED), 820556v01.xx (SRED) Applic #: 820548V02.xx (Open Protocol),820548v03.xx (Open Protocol) Approved Components : |
4-20310 | 5.x | 30 Apr 2026 | Online & Offline | TDES: Fixed,MK/SK,DUKPT AES: Fixed,MK/SK |
Acquirer-controlled | Physical Keypad | Display,ICCR,MSR,CTLS,OP,SRED |