Page tree
Skip to end of metadata
Go to start of metadata

Those of you who have searched through the extensive documentation available on PCI regulations may have stumbled onto guidelines relating to “SRED compliance.”  What might this be?  SRED is an acronym for Secure Reading and Exchange of Data, and it refers to the Point of Interaction (POI) security standard as outlined in the PIN Transaction Security (PTS) requirements, version 3.1.  

The POI is the initial point where credit cardholder data is captured. The SRED module of the PTS protocols lists a variety of requirements to ensure that all POI devices used to process payment cards conform to an acceptable level of security. 

For example, these devices must encrypt account numbers immediately upon entry or provide a sufficiently secure plain-text environment.  This guarantees that all cardholder data is well protected at the POI.  It must be noted, however, that a SRED-compliant device does not in itself provide an overall,comprehensive point-to-point encryption (P2PE) solution, but, it must function adequately as the initial point of any such solution.  

SRED Requirements for Point-of-Interaction Devices

The PCI Security Standards Council (PCI SSC) has set down guidelines governing virtually every aspect of payment card processing; among these requirements is the SRED (Secure Reading and Exchange of Data) module of the PIN Transaction Security (PTS) document.  These requirements are too numerous to discuss in full here, but below we’ll list some of them to provide a brief overview:

  • The device must be adequately protected against attempts to reveal its cryptographic keys used for data encryption.
  • Data must be encrypted with ANSI X9 or ISO-approved encryption algorithms.
  • The device allows for data origin authentication.
  • The device’s secret and private keys are unique.
  • All administrative remote access attempts must be authenticated cryptographically.
  • All firmware updates must be authenticated cryptographically.
  • The device should not retain sensitive data longer than necessary for business purposes.

In brief, the SRED module dictates security parameters for point-of-interaction (POI) devices used to process customer payment card data.  


There is no content with the specified labels

Related issues