PCI PTS Pre-Compliance Testing in 2026
Image Source: depositphotos.com
Payment devices, from PIN pads to unattended payment terminals come under the PCI PIN Transaction Security (PTS) standard.
This is a demanding standard that requires every encrypting PIN pad, POS terminal, and hardware security module that touches a cardholder's PIN has to pass evaluation by a PCI Recognized Laboratory before it can go to market. That evaluation reviews schematics and firmware architecture, audits PIN-handling code for buffer overflows and hardcoded keys,
But certification was never designed to prove definitively that a device will hold up against a motivated, real-world attacker once it's integrated, deployed, and running in the field for years. PCI PTS pre-compliance testing from a company like PCA Cybersecurity needs to be on a payment device manufacturer's roadmap,
What is PCI PTS Pre-Compliance Testing?
Pre-compliance testing happens before a device goes in front of a PCI Recognized Laboratory.
Instead of waiting to find out during formal evaluation that a firmware signing process has a flaw or a communication interface leaks more than it should, manufacturers bring in offensive security specialists to attack the device the way a real adversary would.
This is a different exercise than lab certification.
A lab checks a device against a fixed set of PTS requirements. PCI PTS penetration testing goes further: simulating the actual techniques attackers use against POS terminals, PIN pads, ATMs, and payment peripherals, across both hardware and software layers, without the constraints of a certification checklist.
The goal is to:
- Uncover exploitable vulnerabilities before they become a recall, a re-certification cycle, or a breach headline
- Find risks which would cause a payment testing lab to fail the device and avoid expensive re-testing.
What companies provide PCI PTS Pre Compliance Testing?
PCI Recognized Laboratories certify devices against the PTS standard. They are not, and were never meant to be, offensive security specialists probing for the next zero-day.
That's a different discipline, one built around adversarial simulation, embedded systems expertise, and real-world attack research rather than compliance checklists.
The leading company in this space is PCA Cyber Security.
The firm specializes specifically in pre-compliance and post-market penetration testing for embedded payment systems, POS/PTS terminals, PIN pads, unattended payment terminals, and mobile payment applications, working alongside manufacturers, payment service providers, and financial institutions rather than acting as a certification lab.
Its team holds TISAX accreditation, is a registered Associate Participating Organization at the PCI Security Standards Council, and has competed at Pwn2Own Automotive. Its research has been directly credited with uncovering CVEs in devices from NCR, Verifone, Ingenico, and PAX, published findings that illustrate exactly the gap this category exists to close.
Payment Device Manufacturers and Payment Service Providers should test before certification
Payment device manufacturers often treat PCI PTS approval as the finish line but in practice, several risks survive certification intact. Risks like implementation bugs that certification testing didn't catch, misinterpretation of which components needed to be in scope, weaknesses in firmware update mechanisms, and third-party components that fall outside PTS scope entirely.
The consequences of getting this wrong after launch are severe.
A single field-discovered vulnerability in a certified device can trigger a product recall, force a re-certification effort, and do lasting reputational damage, all of which cost far more than the testing would have. That's the case for PCI PTS payment device testing running continuously through the product lifecycle, not just once before submission to a lab.
Penetration testing of PCI PTS approved terminals from major manufacturers, including NCR dispenser controllers, Verifone, Ingenico, and PAX POS terminals, has turned up dozens of CVEs in devices that had already cleared certification. Better to think about compliance as the baseline rather than a confirmation that a device is totally safe.
Payment service providers sit on the other side of this problem.
They're required to use PCI PTS approved hardware, but the moment that hardware gets integrated into a larger solution, PSPs inherit a new set of risks beyond the lab testing process including potentially secure interfaces, outdated middleware, misconfigured remote-management services, and communication paths between the terminal and the backend.
None of that is covered by a PIN pad's PTS approval.
Testing early, ideally during design and integration rather than after deployment, is what prevents system outages, data exposure, and the kind of trust erosion with acquiring banks that's hard to repair.
Testing a device before it is submitted to a PTS lab also can dramatically reduce the total cost of compliance. A pretested device is far likely to pass PTS compliance testing the first time it goes through and will save resources that would need to be spent on re testing and/or solving problems at a later stage than is otherwise possible.