A PIN Entry Device (PED) is a critical component in EMV-based payment terminals, responsible for securely capturing and encrypting a cardholder’s Personal Identification Number (PIN) during a transaction. PED security ensures that sensitive cardholder data is protected against theft, tampering, or fraud.

In the EMV ecosystem, PEDs are tightly regulated and must comply with EMVCo specifications as well as PCI PIN Security Requirements, which are incorporated into EMV Level 3 (L3) Certification testing. L3 Certification validates that the terminal software, including the PED interface, handles PIN entry and transmission securely and interoperates correctly with the card and acquirer systems.

Overview of PED in EMV Transactions

The PED is responsible for multiple critical functions:

• PIN capture: Securely accepting the cardholder’s PIN via a keypad or touchscreen.
• PIN encryption: Immediately encrypting the PIN under a secure key (PIN encryption key, often using DUKPT or Master/Session keys).
• PIN block creation: Packaging the encrypted PIN into a PIN block that can be securely transmitted to the issuer or acquirer.
• Tamper detection: Physical and logical mechanisms prevent unauthorized access or modification of the device.
• Communication: Securely passing the encrypted PIN to the terminal application for transaction processing.

PED security is evaluated during L3 Certification, ensuring that both hardware and software layers prevent data compromise.

PED Security Requirements

Physical Security

PEDs must be tamper-resistant and protect internal cryptographic keys:

• Tamper-evident and tamper-responsive mechanisms: If physical intrusion is detected, the device zeroizes sensitive keys.
• Shields and coatings: Keypads and internal components must be shielded to prevent skimming or side-channel attacks.
• Secure enclosure: PED casing must prevent forced access to PCB and connectors.

Logical Security

• Secure key storage: PEDs store cryptographic keys in FIPS or EMVCo-approved secure modules.
• Firmware integrity: PED firmware must be signed and authenticated to prevent malicious modification.
• PIN encryption algorithms: Must comply with standards such as ISO 9564 and ANSI X9.8/X9.24.

Cryptographic Security

• PIN block formats: PEDs typically support ISO-0, ISO-1, or ISO-3 PIN blocks.
• PIN encryption methods: Commonly use Triple DES (3DES), AES, or DUKPT key management.
• End-to-end encryption: Ensures the PIN is never exposed in plaintext outside the PED.

PED Workflow in EMV Transactions

The PED operates in synchronization with the terminal application during an EMV transaction:

1. Card Authentication
   • The terminal reads card data and selects an EMV application.
2. Transaction Amount Entry
   • The terminal displays the transaction amount and prompts the cardholder for PIN if required (online PIN or offline PIN).
3. PIN Capture
   • PED securely captures PIN input.
   • PIN is never exposed in plaintext to the terminal CPU or memory.
4. PIN Block Creation and Encryption
   • PED converts the entered PIN into a PIN block according to EMV standards.
   • PIN block is encrypted under a secure key (issuer/acquirer key).
5. PIN Transmission
   • Encrypted PIN block is securely transmitted to the terminal application for authorization or offline verification.
6. PIN Verification by Card/Issuer
   • In online PIN, the issuer decrypts the PIN block and validates it.
   • In offline PIN, the EMV card verifies the PIN internally without exposing the plaintext PIN.

PIN Entry Modes in EMV

Online PIN

• PIN is captured by PED and sent encrypted to the issuer for verification.
• Ensures dynamic verification and supports high-risk transactions.
• L3 Certification ensures correct PIN block formatting, encryption, and transmission.

Offline PIN

• PIN is verified inside the EMV card itself.
• PED encrypts PIN into a PIN block and delivers it to the card.
• Card compares the entered PIN with stored PIN securely.
• Requires PED to follow EMV-approved algorithms and cryptography.

L3 Certification Evaluation Criteria for PED Security

During EMV Level 3 Certification, PED security is rigorously tested. Key evaluation points include:

PIN Encryption and Block Verification

• Correct creation of PIN blocks in ISO formats.
• Secure encryption under DUKPT, Master/Session, or EMV-approved keys.
• Proper handling of multiple PIN entry attempts.

Tamper Response

• Devices must detect physical tampering (opening, probing, or key attacks).
• Sensitive keys must be erased automatically upon tamper detection.

Secure Communication

• PED must communicate PIN securely with the terminal CPU without exposing plaintext.
• Integration with EMV L2 and L3 software must maintain end-to-end encryption.

Offline and Online PIN Scenarios

• Offline PIN verification handled correctly by EMV card.
• Online PIN verification correctly routed to issuer/acquirer with secure encryption.
• Terminal software must handle error codes and retries according to EMV rules.

Multi-Application Scenarios

• PED must handle PIN entry for multiple EMV applications on the same card.
• Correct mapping of AID and PIN requirements for each application.

Security Best Practices for PED in L3 Certification

• Always use certified PED modules that comply with PCI PIN Security and EMVCo standards.
• Implement anti-skimming measures on keypads and card slots.
• Use encrypted PIN blocks with strong cryptography (3DES or AES).
• Log all PIN entry attempts securely for auditing, without storing plaintext.
• Test offline and online PIN flows with multiple card types to ensure reliability.
• Regularly update firmware with signed cryptographic keys to maintain security compliance.

Common PED Challenges in L3 Certification

• Incorrect PIN block formatting may cause authorization failure.
• Weak tamper protection can fail physical security tests.
• Firmware modification vulnerabilities may compromise encryption keys.
• Improper handling of offline PIN can lead to card declines or false rejections.
• Integration issues with EMV L2 software may expose sensitive PIN data if secure channels are not implemented properly.

The PIN Entry Device is one of the most critical security components in EMV payment terminals, and its proper implementation is essential for both cardholder data protection and EMV L3 Certification. PED security ensures:

• End-to-end protection of PIN data during entry, encryption, and transmission
• Compliance with EMVCo and PCI PIN Security standards
• Secure offline and online verification for multiple EMV applications
• Robust tamper detection and cryptographic integrity

For terminal manufacturers and software developers, successful PED security implementation and L3 certification validates that the terminal is ready for deployment in the global EMV ecosystem, safeguarding both cardholders and issuers against fraud.