Payment Device Testing for Security Explained

Read time:00:05

Release date:6.30.2026

Payment devices, and POS terminals in particular, are among the most attractive targets for malicious actors across the entire payment chain. Compromising one can allow an attacker to capture card data, harvest PINs, or push fraudulent transactions at the exact point where money changes hands.

Payment device testing is how payment device manufacturers can determine whether their devices will withstand that pressure under a real attack, not just in the lab. 

PCA Cyber Security works with payment device manufacturers, operators and PSPs (payment solution providers) to harden deployed devices and wider ecosystems, ensuring genuine resistance to real-world attacks.

This article compares the two different types of payment device testing and explains why skipping ongoing security testing usually costs more than it saves.

What Is Payment Device Testing?

At a high level, payment device testing involves probing a device, such as a PTS (Pin Transaction Security) device, POS (point-of-sale) terminal, etc. for weaknesses.

The payment device is the physical hardware that a customer interacts with. That includes the card reader, the PIN pad, and unattended payment terminals such as those at fuel pumps, parking machines, and self-service kiosks. It is the hardware at the moment of payment.

That is distinct from the wider POS environment, the registers, servers, and networks around the terminal, which is governed separately under PCI DSS.

Payment device testing focuses on the device itself, not the environment around it, and on the question of whether that device can resist a determined attacker. 

The Two Types of Payment Device Testing

The industry relies on two forms of payment device testing. 

The first is PCI PTS approval testing, conducted by an accredited PCI PTS lab to determine whether a device is permitted into the payment system.  

The second is regular security assessment, or penetration testing, which puts the device under real attack conditions, ideally on an ongoing basis, to find the weaknesses an adversary could exploit even after the PCI PTS approval was successfully gained at a certain point of time. 

One-time payment device testing for certification 

Certification testing is mandatory, pass-or-fail testing that determines whether a device can legally operate in the payment system. If a device does not pass, it cannot be deployed where approved hardware is required. 

The security testing for PCI PTS approval evaluates the device itself. Other standards also apply, such as EMV Level 1 and Level 2, and the card networks' own brand approvals, though those mainly confirm that the device transacts correctly rather than that it resists attack.

A device that passes is added to the approved-devices list on PCI SSC’s website, which buyers and acquirers check before deployment. 

Regular payment device security testing 

PCI PTS approval confirms that a device meets the standard at the point of evaluation. What it cannot do is account for the attack techniques that emerge afterward, once the device is out in the field. 

That is where ongoing security testing comes in. Companies like PCA Cyber Security attack the hardware and software of a payment device the way a real-world malicious actor would, and produce a prioritized findings report that tells manufacturers what to address first and how.

Treating a one-time certification as a permanent security guarantee is one of the most common and costly misunderstandings in this space. 

The two testing types are complementary, and most mature organizations pursue both.

Why Approved Devices Still Need Testing 

During the PTS Terminal Security Excellence research, the PCA Cyber Security team tested multiple payment terminals from several manufacturers. 

Every one of these devices met its PCI PTS requirements at the point of evaluation. When we ran these approved terminals against current attack methods, we found an average of 16 vulnerabilities per terminal, with around 7 high-severity (CVSS score of 7.0 or higher).

Certification confirms that a device meets the standard at a moment in time, but attackers keep improving their techniques after that moment. 

The vulnerabilities our team uncovered could let an attacker extract sensitive cardholder data or PINs from the device, bypass the cryptographic protections meant to keep that data safe, execute arbitrary code or install malware on the terminal, move laterally into the broader merchant network and payment infrastructure, or disrupt service and disable payment processing capabilities completely.

How Payment Device Testing Reduces Cost

Far from an optional cost, penetration testing of payment devices can reduce overall spend. It does so at two points in a device’s lifecycle: 

Private Testing or Public Disclosure 

Researchers regularly present terminal-hacking work at security conferences, so the real question is rarely whether a device is tested, but whether it is tested privately by people the manufacturer hired or publicly by people it did not.

At Black Hat Europe 2020, independent researchers publicly disclosed vulnerabilities in widely deployed Verifone and Ingenico terminals, flaws serious enough to allow card cloning and persistent malware, which the vendors then had to patch. The work made headlines under the manufacturers' own names. When research like that surfaces in public first, the vendor does not get to choose the timing, the framing, or the headline.

Even so, public disclosure is better than a criminal finding the same weaknesses and using them to their advantage. 

Payment Device Testing with PCA Cyber Security

PCI PTS approval gets a device into the payment system, and ongoing security testing keeps it there safely. The devices that hold up in the real world are the ones whose makers treated both as essential. 

PCA Cyber Security works on the security testing side of that equation, attacking payment devices the way a real adversary would. That means reverse-engineering a device’s firmware and hardware, examining the cryptographic modules and key management, intercepting and manipulating traffic between the payment device and its back-end systems, and chaining smaller flaws into a single path that can reach the wider merchant and processor networks. 

The result is a prioritized report manufacturers can act on, whether they are preparing a new device for lab submission or hardening a model already deployed in the field.

Manufacturers who want to know how their devices would hold up against a determined attacker, before that question is answered for them, can get in touch to learn more.

 

Article tags

payment device security

pts device testing

pci dss

pci pts

Popular tags

automotive threat intelligence

automotive cybersecurity

pcautomotive

pcacybersecurity

payment device security

pci pts

payment security

pci dss

cra

pts device security