BOTECH, together with our partners, promotes the compliance with the PCI PIN regulations for the protection of personal identification numbers.
Ensure secure management, processing and transmission of the PIN number in economic transactions.
Standard applicable to all entities involved in processing online and offline payment card transactions.
Outline the minimum acceptable requirements for securing the PIN component and encryption keys.
Asistir a todos los participantes del sistema de pago minorista en el establecimiento de garantías de que los datos del PIN de los titulares de tarjetas no se vean comprometidos.
What is PCI PIN?
“With this regulation, the personal identification number (PIN) is safely managed, processed and transmitted”.
This PCI standard defines 33 security requirements for the management, processing and transmission of the personal identification number (PIN) during online and offline payment card transactions at ATMs and POS terminals.
The PCI PIN standard is mandatory for all acquiring institutions and agents responsible for processing PIN transactions for PCI Security Standards Council branded cards (VISA, MasterCard, AMEX, Discover and JCB) including key injection and certificate management services and must be used in conjunction with other applicable industry standards (PCI DSS, PCI P2PE, etc.).
Frequently Asked Questions
What are the 3 groups of requirements related to online and offline transactions?
PCI PIN SECURITY has created 3 annexes for the administration of particular scenarios:
- Annex A – Symmetric key distribution using asymmetric keys Specific controls for those entities in charge of the remote distribution of symmetric encryption keys using asymmetric keys and those entities involved in the operation of Certification Authorities (CA) for such purposes.
- Annex B – Key-Injection Facilities Specific requirements for entities operating injection processes.
- Annex C – Transaction Processing Operations: Formerly known as “PIN Security Requirements”, this group of controls applies to any entity involved in acquiring and/or processing PIN-based transactions.
- It lists the approved algorithms and the minimum length of keys to be used in this type of process.
Does the application of the PCI PIN SECURITY standard mean that each brand is no longer valid?
No, the publication of these standards does not imply that the programs of each brand are no longer valid. For example, VISA PIN Security requires the certification document to be completed annually.
What are the 33 safety requirements?
You can find more information about PCI PIN Security here.
What are the 7 Control Objectives?
1.- Personal identification numbers (PINs) used in transactions governed by these requirements are processed using equipment and methodologies that ensure they are kept secure.
2.- Cryptographic keys used for encryption/decryption of PINs and related key management are created using processes that ensure that no key can be predicted or that certain keys are more likely than others.
3.- The keys are transmitted securely.
4.- Key-loading on HSMs and PIN entry devices is handled securely.
5.- The Keys are used in such a way that their unauthorized use is prevented or detected.
6.- The Keys are managed securely.
7.- The equipment used to process personal identification numbers and keys is managed securely.
The evaluation method is performed through the following steps:
1. Initial Training Course
During this phase, topics on general concepts, key points for compliance are addressed and awareness within the organization is promoted.
2. Expert advice
Conducting interviews and reviewing the necessary documentation to establish and record the active processes and the suppliers involved that will determine the scope of PCI PIN.
3. Free GAP Analysis
Free GAP Analysis for new clients, by collecting information, in order to analyze all existing security processes and determine the level of compliance of the organization.
4. Accompaniment and advice
A QSA consultant conducts monthly visits for ongoing advice throughout the implementation process.
We retrieve information to determine the due compliance of the PCI PIN. The evaluation is included in the final report ROC (Report on Compliance) and AOC (Attestation of Compliance).
6. Final revision
Prepares the documentation of the PCI PIN compliance status and the subsequent preparation of the ROC and AOC report.