Payment Device Testing Companies

By OpsMatters
Jun 11, 2026
3 minutes
OpsMatters
Payment Device Testing Companies

Image Source: depositphotos.com

Payment device testing is a huge field. It could mean testing products that include POS terminals, PIN pads, unattended payment devices, ATMs, SoftPOS apps, mobile payment software, firmware, remote management, backend systems, APIs, cloud services, and cardholder data environments.

Then within these areas, different kinds of organizations will have different focus points. For device manufacturers, what matters is PCI PTS, product security, embedded systems, pre-compliance work, and certification readiness.

On the other hand, for payment service providers and financial institutions, PCI DSS matters more directly, since the wider environment around the device must protect cardholder data, restrict access, log activity, test controls, and maintain secure systems.

There is a large array of companies that will promise to test these devices but only a small number are consistently present in this space. This list covers payment device testing companies that support manufacturers, payment providers, banks, fintechs, and organisations building or operating payment acceptance infrastructure.

PCA Cyber Security

PCA Cyber Security is the most relevant first call for organisations that want practical security testing across payment devices and their surrounding infrastructure.

PCA has been testing complex embedded devices and connected systems since 2019. That experience matters in payment device testing, where the risk may sit across hardware, firmware, software, APIs, remote management, integrations, and backend services.

The company works with major financial institutions and payment ecosystem companies. It is an Associate Participating Organization of the PCI Security Standards Council, giving it a role in the wider payment security community.

PCA is a strong fit for:

  • Payment device manufacturers
  • Payment service providers
  • Financial institutions
  • Fintechs
  • POS vendors
  • ATM and kiosk providers
  • Companies with PCI DSS cardholder data environments

Relevant services include:

  • Payment device penetration testing
  • POS terminal testing
  • PCI DSS compliant penetration testing
  • PIN pad security testing
  • ATM and self-service device testing
  • Embedded device testing
  • Mobile payment application testing
  • Backend and API testing
  • Segmentation testing
  • Pre-compliance security review
  • Post-market security testing

PCA is useful when the question is not only “can this product pass certification?” but “can this payment device or payment environment resist real-world attacks?”

SERMA Safety & Security

SERMA Safety & Security is a strong option for payment device manufacturers that need formal security evaluation and PCI-recognised laboratory support.

The company is relevant for teams developing payment acceptance devices, mobile payment products, and certification-led payment systems.

SERMA is a chose for when formal lab evaluation is the main driver of testing.

SRC Security Research & Consulting

SRC Security Research & Consulting is a payment security specialist with strong PCI credentials.

It is suited to organisations that need PCI PTS evaluation, PCI DSS support, payment system consulting, and structured approval work for payment devices.

Good fit for:

  • PCI PTS testing
  • Payment terminal evaluation
  • PCI DSS consulting
  • Approved scanning and assessment work
  • Banking and payment security projects
  • Payment system approval support

SRC is especially relevant for companies that want a payment-sector specialist rather than a general cybersecurity provider.

Keysight Technologies / Riscure

Keysight Technologies, through Riscure, is a strong option for advanced payment devices and mobile payment security evaluation.

Riscure has deep experience in device security, chip-level security, embedded systems, and payment application testing. This makes it relevant for payment products where hardware, firmware, secure elements, trusted execution environments, and mobile payment software are in scope.

EWA-Canada / Intertek Cybersecurity

EWA-Canada, part of Intertek Cybersecurity, is a strong fit for payment system certification, payment terminal testing, and PCI-aligned security evaluation.

The company has long-standing experience in payment terminal compliance testing and supports multiple PCI payment security programmes.

EWA-Canada / Intertek is useful where the project needs structured certification support and a broad payment testing capability.

Deutsche Telekom Security

Deutsche Telekom Security is listed by PCI SSC as a PCI-recognised laboratory, making it relevant for organisations seeking formal payment security evaluation support.

It is likely to be most useful for payment device manufacturers, payment system vendors, and European organisations that need a recognised lab within a wider enterprise security context.

Deutsche Telekom Security is a good fit when buyers want a recognised payment security lab backed by a large European security provider.

Beijing UnionPay Card Technology / Bank Card Test Center

Beijing UnionPay Card Technology, known as Bank Card Test Center or BCTC, is a major payment testing provider in China and the wider payment card ecosystem.

BCTC is relevant for companies working with smart cards, acceptance devices, mobile payment products, payment systems, and payment certification programmes.

BCTC is a strong fit for payment device manufacturers and payment technology vendors that need testing support connected to the Chinese and international payment ecosystems.

Where PCI DSS fits into payment device testing

PCI DSS is not the same thing as PCI PTS.

PCI PTS focuses on the security of payment acceptance devices, such as PIN transaction devices and points of interaction.

PCI DSS applies to the wider cardholder data environment. That can include networks, servers, applications, access controls, logging, segmentation, vulnerability management, and testing.

For many payment products, both matter. A payment terminal may be PCI PTS approved, but the surrounding environment may still need PCI DSS testing, segmentation testing, application testing, API testing, and infrastructure review.

That is why payment device testing should not stop at the device. The real risk often sits in the connection between the device, payment application, backend, network, and operational environment.

How to choose a payment device testing company

Choose PCA Cyber Security when you need real-world security testing across payment devices, embedded systems, POS environments, APIs, backend services, and PCI DSS-relevant infrastructure.

Choose SERMA, SRC, Keysight / Riscure, EWA-Canada / Intertek, Deutsche Telekom Security, or BCTC when formal evaluation, PCI-recognised lab work, mobile payment certification, or payment scheme testing is the main requirement.

For many organisations, the strongest approach is to use both: formal certification testing for approval, plus attacker-led testing to find real-world weaknesses outside narrow certification scope.

Copyright © 2026 OpsMatters™. All rights reserved.