PCI PIN Advisory and Certification

PCI PIN is a Security Standard outlined by the PCI Council on payment security, to protect PIN data. It provides a set of requirements for secure management, processing, and transmission of PIN data during online and offline card transactions. A total of 33 requirements outlined in 7 logical related groups called Control Objectives ensures PIN data is not compromised during the process of electronic payment especially during key exchange process. PCI PIN security mainly focuses on protecting all types of POS (point-of-sale) devices and terminals, including attended or manned by merchants, or Unattended Payment Terminals (UPT) devices such as parking payment automated machines. PCI Security Standards are not just applicable to online transactions but also to offline payment card transaction processed at ATMs and attended / unattended POS terminals.

Enquire

    Our Approach to PCI PIN Advisory and Certification

    Initial Study
    Initial Study

    Initial study of your business to understanding your card processes and environment. This will enable us to consolidate the PCI scope thereby helping you reduce cost and time of implementation.

    Scope Definition
    Scope Definition

    Support to management in Scope Definition which includes timelines, responsibilities, and budget for the implementation.

    Gap Analysis
    Gap Analysis

    Conduct an “as-is” Gap Analysis of your organization vis-à-vis the standard.

    Conduct Awareness Session
    Conduct Awareness Session

    Conduct an Awareness session to your IT Team and business processes involved in card data processing on the background of PCI PIN along with their responsibilities and timelines.

    Asset Inventory
    Asset Inventory

    Identify your critical information assets, classify them, and create the Asset inventory.

    Risk Assessment
    Risk Assessment

    With the “What” part identified, our experts conduct a detailed Risk Assessment to identify what can go wrong with which asset and how it will impact your organization.

    Risk Treatment
    Risk Treatment

    In sync with our Tech Team, our experts rank out the risks and help you strategize the Risk Treatment measures.

    SOP Document Set
    SOP Document Set

    With all data in hand, our team then creates the SOP document set. Your inputs are required only to validate the same.

    VA/PT
    VA/PT

    Conduct internal/external Vulnerability Assessment and penetration testing of your servers and networks.

    Rolling Out Recommendations
    Rolling Out Recommendations

    Since PCI has a significant amount of Technology involved, our Infrastructure Advisory Services team shall support your internal team in rolling out the recommendations such as sanitized CDE (Card Data Environment) processing room, network segregation, log correlation, encryption, SIEM, product POC, NAC/WAF assessment, IPV6, etc.

    User Training
    User Training

    Specialized personnel then conduct User Training of ALL personnel covered in scope on their specific responsibilities.

    Certified with External Auditors
    Certified with External Auditors

    Once all controls are confirmed to be in place, we as a QPA get you certified. We can even help you get certified with external auditors (of your choice) for PCI PIN if required.

    Continual Support
    Continual Support

    If you so wish, we can take over the responsibility for Continually Supporting (Managed Compliance Services) your organization to stay PCI PIN certified.

    Benefits to work with vistainfsoec

    Why work with VISTA InfoSec?

    Industry Expertise- We will share industry-specific insight and provide relevant recommendations for achieving your goals of compliance.
    Years of Experience – With more than 150 successful audits performed right from 2008, you can be assured of getting the best industry experts. We even have Auditors with a min 12-15 years’ experience.
    End-to-end support- Our team will hand-hold you at every stage of the Compliance process including the design of controls and documentation as may be required.
    Robust security & risk management solution – We will provide you with a comprehensive solution, designed to meet your requirements
    Reports detailing the analysis finding – We will provide you documents detailing the findings of the analysis and provide relevant recommendations for the same.
    Training videos and materials – We will provide valuable training videos and materials for equipping your personnel on an ongoing basis.
    Attestation support – Our in-house Qualified PIN Assessors will provide you with PCI PIN Certification after the successful completion of the Audit, as per the required standard.
    Vendor neutral Company- We believe in being your true consulting / audit partners by not indulging in sales of hardware/software that might create bias.
    Strictly No Outsourcing- We value your trust in us so we do not outsource your critical assignments to another third party.
    Frequently Asked Questions

    Frequently Asked Questions on PCI PIN Advisory and Certification

    The PCI PIN is a security standard that outlines the security and procedural requirements for acquiring Financial Institutions including the Issuing Banks, Credit Unions, and organizations that manage or deploy PIN acceptance devices (process and accept cardholder PINs at ATMs, POS terminals, or kiosks). This would include encryption support organizations, key injection facilities, and all organizations that perform key management activities in support of PIN processing. It will also include companies using asymmetric cryptography via remote distribution and certificate authorities.

    PCI PIN Security requirements are standards devised in context to all types of POS (point-of-sale) devices and terminals, including attended or manned by merchants, or unattended (UPT) devices such as parking payment automated machines. PCI PIN Security Standards apply not just to online transactions, but also offline payment card transaction processing at ATM’s and attended and unattended POS terminals.

    PCI PIN applies to the end to end process for pin management such as those used by Financial Institutions like the Issuing banks, Credit Unions, Organizations that manage or deploy devices that process PCI PIN ATMs, POS terminals or kiosks, and Encryption Support Organizations are also included.

    The PCI PIN requirement calls for organizations to ensure a cardholder's 4-digit PIN remains encrypted throughout the payment process to maintain the Confidentiality and Security of Sensitive Data. The requirement outlines the procedures and equipment required to achieve the highest level of encryption. One essential element required for securing the encryption and PIN’s is the use of Payment HSMs. Payment HSM is used for key management and encryption of sensitive data. The encryption requirements call for-

    Key management and cryptographic keys to be used for PIN encryption and decryption to ensure the sensitive keys are handled securely, including generating, storing, and destroying the keys.
    PIN encryption calls for having in place procedures that detect and manage security events in case of a compromise.
    Procedures, roles, and responsibilities pertaining to PIN encryption must be documented, regularly reviewed, and audited.

    HSM is essential in PCI PIN for it is used in key management and encryption of sensitive data.

    The validation cycle of the PCI PIN Security program is 24 months. But organizations need to conduct an audit every year to check the effectiveness of their Security Controls, Procedures, and Policies.

    Qualified PIN Assessor (QPA) is a Security Organization such as us @VISTA InfoSec who have been qualified by the Council to validate and ensure adherence to the PCI PIN Standard.

    PCI PIN ensures improved security of sensitive PIN used for online and offline payment transactions.
    Secures the management, processing, and transmission of PIN data.
    Reduces or prevents Point-of-Sale (POS) fraud.
    Provides flexibility, scalability, and lowers the cost of software solutions.
    Reduce the costs of expensive specialized ID verification terminals for the protection of data.
    Increased merchant adoption enhances payment volumes and increases fee revenue.

    PCI PIN Consulting will cost $20000.

    Discover our latest resources

    pci pin security
    PCI PIN – A Quick Intro

    The Payment Card Industry Security Standards Council (PCI SSC), published … Read More

    Read More
    PCI PIN, PCI Cryptography and Key Management
    PCI PIN, PCI Cryptography and Key Management
    Watch