Last updated: 17 May 2016
POS terminals used in Brazil need to comply with regulations from both ABECS and in some cases with ANATEL. We will outline in this article the main requirements for these types of terminals to be used in Brazil.
ABECS, the Brazilian Association for Credit Cards and Services Companies are responsible for creating self regulating mechanisms and establishing the best practices for companies in this sector. Therefore ABECS is the organism responsible for validating the security testings and compliance to applicable requirements both for password capturing and client verification systems.
Homologation at ABECS
ABECS along with the manufacturers and the certification laboratory defined the directives applicable in Brazil, with additional requirements and schedule, based on the requirements developed by the PCI Council for POS and PINPAD. Minimum security requirements stated by PCI, include:
- Development and maintenance of the security of the network and systems
- Protection of the data of the card owner
- Maintenance of a programme for vulnerability management
- Deployment of access control measurements
- Regularly supervise and test the networks
- Maintenance of the data security policy
At ABECS, the homologation process is basically directed to the software built-in the machine, regarding data security and management. The first step to start the process is to get the terminals homologated in PCI Security Standards Council laboratories before requesting the homologation by ABECS.
After obtaining the registration from PCI, the manufacturer has to submit 5 samples of each model for homologation, a process that must be handled by an accredited laboratory of ABECS. The laboratory will verify the following requirements:
- Check if the device is certified with PCI-PTS
- Check if the device is complies to PCI-PTS standards for cardholder data protection
- Check if terminal complies with ABECS technical requirements
If the equipment is in accordance to these standards, the laboratory will submit an approval certification to ABECS, which will publish their homologation. The reports issued by the laboratories are classified and must not be published publicly at any cost, being stored securely.
The homologation with ABECS may be renewed from time to time and will depend on three main factors:
- Yearly review, which happens every July with the intent to review the contents
- Requirement review, which happens every second year in order to eliminate, change or include new requirements
- Emergency review, which will happen anytime when a vulnerability is found at the terminals
Homologation of terminals with ANATEL
In addition to being homologated by ABECS, ANATEL is often involved in the process of the POS terminal certification in Brazil. All telecommunication devices that are wired, wireless, optical or any other electromagnetic process that transmits, emits or receive symbols, signals and any other information requires homologation from ANATEL. This includes any POS terminal that uses cable, wifi and cellular connections, which are considered as a restricted radiation device.
Therefore, POS terminals can be categorised under Category I equipment, the same as mobiles and satellite phones. Manufacturers or importers of products under this category need to use a OCD, which is a third party institution appointed by Anatel that evaluates products and issues a certification based on tests conducted by a laboratory accredited by Inmetro. The OCD will determine what tests are needed to be performed on the device to obtain certification by ANATEL.
Category I products demand annual revaluations to maintain the certification with ANATEL. More details about the process can be found in the article “How to Obtain an Anatel Product Homologation”.