PCI PIN SECURITY CERTIFICATION

BOTECH promotes the compliance with the PCI PIN regulations for the protection of the personal identification number.

What is PCI PIN?

“With this regulation, the personal identification number (PIN) is safely managed, processed and transmitted”

This PCI standard defines 33 security requirements for the management, processing and transmission of the personal identification number (PIN) during online and offline payment card transactions at ATMs and POS terminals.

The PCI PIN standard is mandatory for all acquiring institutions and agents responsible for processing PIN transactions for PCI Security Standards Council branded cards (VISA, MasterCard, AMEX, Discover and JCB) including key injection and certificate management services and must be used in conjunction with other applicable industry standards (PCI DSS, PCI P2PE, etc.).

1.

Ensure secure management, processing and transmission of the PIN number in economic transactions

2.

Standard applicable to all entities involved in processing online and offline payment card transactions

3.

Outline the minimum acceptable requirements for securing the PIN component and encryption keys

4.

Assist all participants in the retail payment system in establishing guarantees that cardholder PIN data are not compromised

Methodology

The evaluation method is effected through the following steps:

1. Initial training course

The goal is to address issues of general concepts, key compliance points, and to raise awareness within the organization.

2. Expert advice

Interviews will be conducted, and documentation will be reviewed that is needed to establish and record the active processes and providers involved that will determine the scope of the PCI DSS.

3. GAP Analysis

We conduct a free GAP analysis for new customers by gathering information to analyze all the existing security processes and determine the level of organizational compliance

4. Accompaniment and advice

Monthly visits by a QSA consultant provide support and advice throughout the implementation process.

5. On-site audit

We retrieve the information needed to determine the PCI PIN compliance. The assessment will be recorded in the final ROC report (Report on Compliance) and AOC (Attestation of Compliance).

6. Final Review

The final phase prepares the PCI PIN compliance status documentation and the subsequent preparation of the ROC and AOC.

What are the 3 groups of requirements related to online and offline transactions?

PCI PIN SECURITY has created 3 annexes for the administration of particular scenarios:

  • Annex A – Symmetric key distribution using asymmetric keys Specific controls for those entities in charge of the remote distribution of symmetric encryption keys using asymmetric keys and those entities involved in the operation of Certification Authorities (CA) for such purposes

 

  • Annex B – Key-Injection Facilities Specific requirements for entities operating injection processes

 

  • Annex C – Transaction Processing Operations: Formerly known as “PIN Security Requirements”, this group of controls applies to any entity involved in acquiring and/or processing PIN-based transactions.

 

  • It lists the approved algorithms and the minimum length of keys to be used in this type of process.

What are the 7 Control Objectives?

  1. Personal identification numbers (PINs) used in transactions governed by these requirements are processed using equipment and methodologies that ensure they are kept secure.
  2. Cryptographic keys used for encryption/decryption of PINs and related key management are created using processes that ensure that no key can be predicted or that certain keys are more likely than others.
  3. The keys are transmitted securely.
  4. Key-loading on HSMs and PIN entry devices is handled securely.
  5. The Keys are used in such a way that their unauthorized use is prevented or detected.
  6. The Keys are managed securely.
  7. The equipment used to process personal identification numbers and keys is managed securely.

What are the 33 safety requirements?

You can find more information about PCI PIN Security here

Does the application of the PCI PIN SECURITY standard mean that each brand is no longer valid?

No, the publication of these standards does not imply that the programs of each brand are no longer valid. For example, VISA PIN Security requires the certification document to be completed annually.

Botech Certifiers QSA (Qualified Security Assessor) and QPA (Qualified PIN Assessor)

Do you need to comply with PCI PIN but you don't know how to do it? Ask us!

Send us an email to info@botechfpi.com or fill in the following contact form

pexels-fauxels-3184465