3-MINUTE READ

This blog is for you if you:

• Don’t know whether you need to comply with the PCI PIN Security Requirements and Test Procedures program,
• Don’t know what the program is, and/or
• Don’t know to whom the PIN program applies.

What is PCI PIN?

First, what is PCI PIN other than a string of confusing acronyms? The acronyms are as follows:

PCI SSC: Payment Card Industry Security Standards Council
QPA:  Qualified PIN Assessor
PIN: Personal Identification Number

The PCI PIN Security Requirements v3.1 program includes an assessment of the security of systems, processes, and facilities that handle or process PIN data, such as PIN Entry Devices (PEDs), Point-of-Sale (POS) systems, and back-end systems that store, process, or transmit PINs. These assessment are performed by a QPA, who is approved by the PCI SSC for undertaking PIN validations.

Let’s step through a bit of its history.

When the PIN standard began, Visa (and other card brands) had a program for participants who would complete an annual Self-Assessment Questionnaire similar to a SAQ D. This program existed for many years, and every couple of years, a Visa approved assessor would come in to review the environment.

At a point, it was decided that instead of running individual PIN programs within each Card Brand, they would hand this program over to the PCI Council as had been done with the PCI DSS. The program was handed over to the PCI Council to manage the PIN Standard, and it would expand the activities required for this program, resulting in a formalized PIN assessment that is conducted every two years for participating organisations.

What is the PIN Standard?

PIN is prevalent in the face-to-face payment channel. When you go into a store to buy groceries or make a payment and you hand over a physical card to someone else, or you place your card into a PED and a transaction is made that is protected by a PIN, or there is either a chip/PIN that protects the authorization of the transaction, compliance to the PIN Standard is considered for the entities that process, transmit, or transform PIN.

The PIN is encrypted within the card, and it is transmitted across communication channels. Those communication channels that participate in the transaction should all be encrypted. The PIN Standard is, in effect, a Standard that covers all the devices themselves, the cryptographic mechanisms, hardware encryption modules, etc. Hardware security modules provide cryptographic functions at a rapid pace, and the PIN Standard is concentrated on those eco systems, along with the people and process to ensure that cryptographic integrity is maintained within a payment ecosystem that customers consider secure.

The PIN assessment verifies whether an organization is following the correct cryptographic lifecycle procedures and processes including the types of keys they generate within the hierarchy, and whether they fit the definition of the hierarchy to protect the keys properly. It ensures the keys are strongly generated within a secure device, such as an HSM.

Do you need to be compliant?

Three types of companies meet the criteria and must undergo PCI PIN assessments.

1. Acquirers and processors that manage PIN data.
2. Vendors that develop and maintain systems that handle PIN data.
3. Merchants and service providers that store, process, or transmit PIN data.

Let’s break this down with more specific examples. Here are a few things to look for to determine whether you must be assessed:

• Banks who maintain their own payment ecosystems are very likely to require PIN validation.
• Larger merchants that own and operate their own infrastructure.
• By definition, anyone involved in the storing, processing, or transmission of PIN data must adhere to PCI requirements, and this could include an entity required to adhere to PCI requirements, which may involve compliance with PCI PIN Standard if they deal with PIN Processing specifically.
• Institutions that provide services for payment processing terminals that provide card-present transactions.
• Organizations involved in the injection of POI (Point of Interaction) devices.
• Organizations that provide foundational PIN-related services such as:
  • Certification and Registration Authority Operations
  • Key Injection Facilities
  • PIN Acquirer Payment Processing - POS
  • PIN Acquirer Payment Processing – ATM
  • Remote Key Distribution Using Asymmetric Keys – Operations
• Organizations with HSMs in scope for their PCI DSS validation.
• Payment processing of card-present terminals operated by the organization – not a service provided by an outsourced service provider.

If you have further questions about the PCI PIN requirements or are seeking clarification about whether your organization should be adhering to the PCI PIN Standard, please reach out and ask your PCI QSA or QPA/PIN Assessor to discuss your specific environment.

You can connect with Online's PCI QSA team by sending an email to connect@obsglobal.com

^{reference: PCI Security Standards – Case Study}

For additional insight and guidance from Online’s QSA team, explore more valuable content in our digital PCI DSS v4.0 Resource Center. We are adding insights regularly with valuable 'in the trenches' tips for success. Or, if you have questions – no matter how big or small – one of our experienced QSAs would be happy to provide guidance and share knowledge.

Send us an email to connect@obsglobal.com