ATM PIN Pad (EPP) Replacement: Tamper, PCI PTS Compliance, Key Injection and Choosing the Right Part
An operator's guide to the ATM Encrypting PIN Pad (EPP) β how it secures the PIN, why a tampered EPP zeroizes and stops working, PCI PTS and TR-31 compliance, why keys must be injected by an authorized party, and matching a replacement.
The fast answer (and the one hard rule)
The ATM PIN pad isnβt a keypad β itβs an EPP (Encrypting PIN Pad), the most security-governed part on the machine. It encrypts the PIN inside a tamper-protected module, itβs certified to PCI PTS, and it only works once cryptographic keys are loaded. That makes replacement a compliance job, not a swap:
| Reality | What it means | |
|---|---|---|
| It encrypts the PIN internally | The PIN is never plaintext outside the EPP | β |
| It's tamper-responsive | Opening/removing it zeroizes the keys β it stops working | β |
| It must be PCI PTS certified | Match a currently-valid approval level (e.g. PCI PTS 5.x) | β |
| It needs keys injected | A new EPP can't process PINs until an authorized party loads keys | β |
How an EPP secures the PIN
An EPP exists to keep the customerβs PIN secret end-to-end. The digits never leave the module in the clear: the EPP encrypts them with keys held inside its secure boundary and outputs only ciphertext. To protect those keys, the module is tamper-responsive β it actively watches for intrusion and erases its secrets if attacked.
Why an EPP needs replacing
EPPs get replaced for three reasons β and only one of them is a conventional hardware fault:
| Reason | What's happening | |
|---|---|---|
| Tamper / zeroized | Detected intrusion or removal erased the keys; reports a tamper error | β |
| Hardware failure | Dead keys, controller or connector β a genuine fault | β |
| Compliance / end-of-life | Its PCI PTS approval lapsed or it can't meet current key-block rules | β |
PCI PTS and key-block compliance
Two compliance threads decide whether an EPP is acceptable: its device certification(PCI PTS) and the key-management standard (key blocks) it must support.
| Requirement | What to know | |
|---|---|---|
| PCI PTS certification | Devices are approved to a version; current generation is PCI PTS 5.x (6.x emerging) | β |
| Approval expiry | Older PTS approvals lapse β don't deploy a lapsed EPP | β |
| TR-31 key blocks | Secure key packaging; ATMs required to use compliant key blocks (TR-31 'Phase 3') from 1 Jan 2025 | β |
| Your processor's minimum | Your acquirer/processor states the minimum PTS level & key-block rule they accept | β |
Replacing and injecting keys (authorized only)
The replacement workflow keeps the physical and the cryptographic strictly separate β you (or your technician) handle the part; an authorized party handles the keys:
- 1
Confirm why it's being replaced
Tamper/zeroized, hardware failure, or compliance/EOL β this sets whether you need the same model or a higher PCI PTS level. - 2
Match model + certification
Choose an EPP for your exact ATM model, at a currently-valid PCI PTS level your processor accepts, with the right layout and connector. - 3
Fit the EPP (per procedure)
Install it following the ATMβs documented procedure and your dual-control/ security rules for opening the machine.Caution: Mishandling can trip the new unit's tamper response β follow the documented fitting procedure exactly. - 4
Have keys injected by an authorized party
Your authorized key-loading facility injects the required keys β by local key loading or remote key loading (RKL) β under your processorβs and the schemeβs procedures. The EPP canβt process PINs until this is done. - 5
Verify and return to service
Confirm PIN encryption and a successful test transaction with your processor, verify compliance status, then return the ATM to live operation.
Matching the part and sourcing
When you source a replacement, the supplierβs job is the part-and-certification fit; the keys are never part of the shipment:
| Match this | How | |
|---|---|---|
| ATM make / model | The EPP is model-specific β quote the exact machine | β |
| PCI PTS level | A currently-valid approval your processor accepts | β |
| Layout & connector | Physical fit, key layout and interface for your model | β |
| Key-injection plan | Local vs remote (RKL), arranged with your authorized party | β |
| Compliance horizon | Prefer a level that stays valid, given approval expiries | β |
Browse PIN pads and keypads in our keyboards category, and related modules in terminal repair parts and other parts. For other ATM peripherals see our ATM card reader heads and cash dispenser guides. Tell us your ATM model and the PCI PTS level your processor requires, and weβll match a compatible EPP β your processor and authorized key-loading party handle the keys.
Frequently Asked Questions
What is an ATM EPP, and how is it different from an ordinary keypad?
Why did my EPP stop working after it was opened or moved?
Can I just swap in a new EPP and run?
What is PCI PTS, and which level do I need?
What are TR-31 key blocks and the 2025 deadline about?
How do I make sure a replacement EPP will work on my ATM?
Sources & further reading
- Encrypting PIN Pad (EPP) Security Requirements β PCI Security Standards Council
- PCI PTS PIN Security Requirements & Technical FAQs β PCI SSC (via Kiosk Industry)
- ATM Keypad Encryption PCI Compliance Updates β ATM Depot
- Terminal and PIN Entry Security Standards FAQs β Mastercard
- The PCI PTS 5.x Generation of Encrypting PIN Pads β Cryptera
Related guides
NCR RealPOS Receipt Printers: Identify Your Model and Order the Right Printhead, Cutter and Parts
Ordering NCR RealPOS parts goes wrong in one place: the printhead comes in 9-pin and 15-pin versions that look similar and don't interchange. Here's how to read your model number and match the exact part.
Read guide βWincor Nixdorf / Diebold Nixdorf POS Parts: Identify Your BEETLE and TH-Series Printer and Order the Right Part
Wincor Nixdorf (now Diebold Nixdorf) BEETLE systems are everywhere in European retail. The key to ordering parts is the 1750 part-number scheme β here's how to read it and match the right TH-series printer part.
Read guide βFujitsu POS Printers (FP-1000 / FP-510): Identify Your Model, Read the KA02066 Part Scheme, Order the Right Part
Fujitsu's FP-1000 is a tank of a receipt printer β but ordering parts means decoding the KA02066 configuration scheme. Here's how to read it, and how to match the printhead and cutter to your exact build.
Read guide βRelated categories
Featured parts in this guide
%20Sparta%20Riser%20Card/120c399634d85265f7a7595a979407ee_c48b4b186f0a2eea2b86d0d5a86c219e_s-l1600.jpg)
Need the parts mentioned in this guide?
Genuine OEM and quality-tested aftermarket parts for IBM, Toshiba, NCR, Diebold, Wincor and Hyosung systems β with worldwide shipping.
