PCI PIN is a Security Standard outlined by the PCI Council on payment security, to protect PIN data. It provides a set of requirements for secure management, processing, and transmission of PIN data during online and offline card transactions. A total of 33 requirements outlined in 7 logical related groups called Control Objectives ensures PIN data is not compromised during the process of electronic payment especially during key exchange process. PCI PIN security mainly focuses on protecting all types of POS (point-of-sale) devices and terminals, including attended or manned by merchants, or Unattended Payment Terminals (UPT) devices such as parking payment automated machines. PCI Security Standards are not just applicable to online transactions but also to offline payment card transaction processed at ATMs and attended / unattended POS terminals.
Initial study of your business to understanding your card processes and environment. This will enable us to consolidate the PCI scope thereby helping you reduce cost and time of implementation.
Support to management in Scope Definition which includes timelines, responsibilities, and budget for the implementation.
Conduct an “as-is” Gap Analysis of your organization vis-à-vis the standard.
Conduct an Awareness session to your IT Team and business processes involved in card data processing on the background of PCI PIN along with their responsibilities and timelines.
Identify your critical information assets, classify them, and create the Asset inventory.
With the “What” part identified, our experts conduct a detailed Risk Assessment to identify what can go wrong with which asset and how it will impact your organization.
In sync with our Tech Team, our experts rank out the risks and help you strategize the Risk Treatment measures.
With all data in hand, our team then creates the SOP document set. Your inputs are required only to validate the same.
Conduct internal/external Vulnerability Assessment and penetration testing of your servers and networks.
Since PCI has a significant amount of Technology involved, our Infrastructure Advisory Services team shall support your internal team in rolling out the recommendations such as sanitized CDE (Card Data Environment) processing room, network segregation, log correlation, encryption, SIEM, product POC, NAC/WAF assessment, IPV6, etc.
Specialized personnel then conduct User Training of ALL personnel covered in scope on their specific responsibilities.
Once all controls are confirmed to be in place, we as a QPA get you certified. We can even help you get certified with external auditors (of your choice) for PCI PIN if required.
If you so wish, we can take over the responsibility for Continually Supporting (Managed Compliance Services) your organization to stay PCI PIN certified.
The PCI PIN is a security standard that outlines the security and procedural requirements for acquiring Financial Institutions including the Issuing Banks, Credit Unions, and organizations that manage or deploy PIN acceptance devices (process and accept cardholder PINs at ATMs, POS terminals, or kiosks). This would include encryption support organizations, key injection facilities, and all organizations that perform key management activities in support of PIN processing. It will also include companies using asymmetric cryptography via remote distribution and certificate authorities.
PCI PIN Security requirements are standards devised in context to all types of POS (point-of-sale) devices and terminals, including attended or manned by merchants, or unattended (UPT) devices such as parking payment automated machines. PCI PIN Security Standards apply not just to online transactions, but also offline payment card transaction processing at ATM’s and attended and unattended POS terminals.
PCI PIN applies to the end to end process for pin management such as those used by Financial Institutions like the Issuing banks, Credit Unions, Organizations that manage or deploy devices that process PCI PIN ATMs, POS terminals or kiosks, and Encryption Support Organizations are also included.
The PCI PIN requirement calls for organizations to ensure a cardholder's 4-digit PIN remains encrypted throughout the payment process to maintain the Confidentiality and Security of Sensitive Data. The requirement outlines the procedures and equipment required to achieve the highest level of encryption. One essential element required for securing the encryption and PIN’s is the use of Payment HSMs. Payment HSM is used for key management and encryption of sensitive data. The encryption requirements call for-
HSM is essential in PCI PIN for it is used in key management and encryption of sensitive data.
The validation cycle of the PCI PIN Security program is 24 months. But organizations need to conduct an audit every year to check the effectiveness of their Security Controls, Procedures, and Policies.
Qualified PIN Assessor (QPA) is a Security Organization such as us @VISTA InfoSec who have been qualified by the Council to validate and ensure adherence to the PCI PIN Standard.