PCI PIN – A Quick Intro

Published on : 29 Apr 2020


pci pin security

The Payment Card Industry Security Standards Council (PCI SSC), published version 3.0 of the PCI PIN security requirements in August 2018. This updated version was a collaborative effort between the PCI SSC and the American Standards Committee (ASC) X9. Together they integrated the ASC TR-39 into the PCI PIN security requirements to amalgamate it into PCI PIN 3.0. 

What is the PIN and Why’s it important?

The PIN is what you enter when you authorize a transaction after swiping your card. This is Sensitive Authentication Data (SAD) for all transactions, and any denial of security can lead to this sensitive data landing in the wrong hands. A fraudulent transaction not only does not only have a direct impact on the customer, but the POS organization involved will also lose their credibility in the market and may be subjected to pay heavy penalties to the “Payment brands” for non-compliance.

Who all are covered? Does your organization need PCI PIN compliance?

Does your organization does any of the tasks such as: Generate PIN, encrypt PIN, Manage PIN encryption keys or KeK, remote key injection, manage digital certificates for key management?? If yes, then in all probability you come under PCI PIN (In case of any query or doubt, you can always contact us or the relevant payment brand or your acquirer for clarification)

PCI DSS Vs PCI PIN

PCI DSS facilitates protection of cardholder’s data that is processed, stored or transmitted by merchants. Whereas PTS and PCI PIN security are mainly concerned with the physical and logical security of the point-of-sale devices (POS) or terminals, whether they be attended, i.e. manned by merchants, or unattended (UPT), i.e. parking payment automated machines. Hence, PCI PIN Security standards or PTS apply not only to online transactions, but also to offline payment card transaction processing at ATM’s for both attended and unattended POS terminals.

Brief about PIN Security or PTS Industry Standard Norms

PIN transaction security, or PTS lays down a set of requirements for secure management, processing, and transmission of PIN data during online and offline card transactions. The 33 requirements presented are organized into seven logically related groups, referred to as “Control Objectives.” The PIN security requirements must be met by all institutions that accept or process transactions from ATMs or POS terminals on the acquiring side. This includes banks, their processors and network operators.

These PIN Security Requirements are based on the industry standards and provide;

  • Minimum security requirements for PIN-based interchange transactions.
  • Minimum acceptable requirements for securing PIN and encryption keys.
  • Assurance of minimum risk pertaining to compromise in PIN of the cardholder. 

How can we help you?

The PCI PIN 3.0 update has brought with it a multitude of changes specifically for having comprehensive documentation to attest, documented and followed by an organization’s personnel. VISTA InfoSec has the expertise to audit your processes for compliance and even support your organization in writing customized documentation for all required processes/ procedures and also help processors, merchants and KIFs (Key Injection Facilities) become compliant.

VISTA InfoSec which is based in United States, India and Singapore for the past 15 years has helped hundreds of organizations worldwide to become compliant to numerous standard requirements such as PCI DSS, PCI PIN Audit, SOC1/2, HIPAA, GDPR, PDPA, ISO27001, etc. Now is the right time for you to focus on your business’s core function, and allow VISTA InfoSec, a leading authority on financial security, to take care of all regulatory compliances and stay updated as per industry standards. 

You can watch our webinar on : PCI PIN, PCI Cryptography and Key Management

 

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.