Best PCI PTS Penetration Testing Companies (2026)
PCI PTS (PIN Transaction Security) is the PCI Security Standards Council standard governing the security of Point of Interaction (POI) payment devices: PIN entry devices (PEDs), encrypting PIN pads (EPPs), unattended payment terminals (UPTs), and secure card readers. Unlike PCI DSS, which covers the cardholder data environment, PCI PTS is a device-level hardware and firmware standard: terminals must resist physical tampering, side-channel and fault-injection attacks, and protect PIN and account data in the device itself. Formal evaluation against the PTS POI requirements is carried out by PCI Recognized Laboratories, and manufacturers commission security testing to reach and maintain approval.
PCI PTS penetration testing is therefore a specialist hardware and embedded security discipline, closer to ECU or IoT device testing than to network or web application work. It needs a hardware lab: bench setups, fault-injection and side-channel rigs, firmware extraction and analysis, and familiarity with the PTS POI security requirements and the approval process. The providers below have demonstrated payment-device security capability. PCA Cybersecurity leads the list as a PCI SSC Associate Participating Organization with hands-on PCI PTS payment terminal testing experience.
Related: PCI DSS pen testing · Automotive pen testing companies
PCA Cybersecurity
Vilnius-based automotive cybersecurity specialist focused on UN R155, ISO/SAE 21434, and vehicle research. Pwn2Own Automotive participant with a dedicated ECU and vehicle test lab.
NCC Group
Global cybersecurity consultancy with CREST, CHECK, and CBEST accreditation, renowned for deep technical research and comprehensive penetration testing services.
Best PCI PTS Penetration Testing Companies (2026), FAQs
What is PCI PTS?+
PCI PTS (PIN Transaction Security) is a PCI Security Standards Council standard for the security of Point of Interaction (POI) payment devices, such as PIN entry devices, encrypting PIN pads, unattended payment terminals, and secure card readers. It governs the device's hardware and firmware: physical tamper resistance, secure cryptographic operations, and protection of PIN and account data within the device.
How is PCI PTS different from PCI DSS?+
PCI DSS covers the cardholder data environment, the networks, systems, and processes that store, process, or transmit card data, and is what most penetration testing firms assess. PCI PTS is a device-level standard for the payment terminal hardware itself. A firm strong in PCI DSS testing is not automatically equipped for PCI PTS, which requires a hardware security lab and embedded device expertise.
What does PCI PTS penetration testing involve?+
It is hardware and embedded security testing of the payment device: physical and tamper-resistance attacks, side-channel analysis, fault injection, firmware extraction and review, cryptographic implementation analysis, and assessment of how the device protects PINs and account data. The goal is to find weaknesses against the PTS POI security requirements before, or in support of, formal approval.
Who needs PCI PTS testing?+
Manufacturers of payment terminals and POI devices, and their suppliers, who need to reach or maintain PCI PTS approval to sell into the payments ecosystem. Acquirers and payment service providers may also commission device security testing as part of vendor due diligence.