PCI PIN Security is the Security Standard defined by Visa, MasterCard, JCB, American Express, Discover Card Brands, for entities that participate in processes of Personal Identification Number (PIN) transactions. The most recent version of PCI PIN Security is 3.1.
In general, organizations or its supporting 3rd parties providing ATM, POS to process PIN transaction need to comply with this standard, including acquirers providing ATM or POS Terminal, Issuer, and intermediate networks (Switch, Network) Card Brands Networks Etc.
According to the requirements of Card Brands, those service vendors providing Key Injection Facilities (KIF), Certification Authority are subject to Self-Assessment Questionnaire or a QPA assessment completed by a PCI SSC Qualified Pin Security Assessor (QPA). All acquiring institutions and agents (e.g., key-injection facilities and certificate processors) responsible for PIN transaction processing on the payment card industry participants’ denominated accounts should be require completing Self-Assessment Questionnaire or complete audit by PCI SSC authorized Qualified Pin Security Assessor (QPA).
To meet PCI PIN Security Compliance requirements, tasks are categorized as follow:
PCI PIN Security requirements are organized into seven related groups, referred to as “Control Objectives.”. Each control objectives require management of security policy and procedures, including Point of Interaction (POI) management procedures which cover ATM, POS Terminal management, HSM management procedures, and the most important part, Key Management related procedures, including key generation, distribution, rotation, revocation, destruction, key exchange with other organizations management procedures, usages of PIN Blocks and Key Blocks, and appliance physical security.
PIN Security relevant devices should include POI (ATM, POS) devices, HSM Keys, Encryption Devices, Key Loading Devices, Servers, and according to Host Software should be inventoried and managed. Due to high volumes of POI, loading key onto devices requires a strict and precise management process to manage organization internal usages of keys, HSM, participants of transactions, key exchange organizations, and at last inventory management of out-sourcing service providers.
All devices of POI (ATM, POS), HSM, Servers, usages of Key Loading Devices, records, and inspection management, must follow operation guideline procedures and keep decent logging. Key exchanges, Key Loading, and Generations must follow required Dual Control, Split Knowledge, and Monitoring. Having records logging with monitoring and reviews.
I. Gap analysis
Start with Gap analysis, to verify the gaps between current environment and PCI PIN Security Standard about devices, operations managements, and identify tasks of meeting of the compliance requirements.
II. Consulting
Consult by experienced PCI PIN Security consultants, based on standard requirements to provide technical and management advisory, and help assessed entity to complete implementations and meet the standard requirements.
III. Onsite PIN assessment
PCI QPA assesses the implementations of the assessed entity against the requirements of PCI PIN Security Standard and according to the frequency required by each Card Brands to complete the assessment results.
IV. Changes
Assessment may result in Non-Compliance that the current environment is not compliance with the standard, thus need assessed entity to implement remediation, corrections, or technical enhancement, changes in processing flows. Upon implementing remediation, implementation evidence complete, obtain another onsite assessment or evidence reviews by QPA to validate the compliance to the standard.
V. Audit Completion
The ROC is effectively a summary of evidence derived from the assessor’s work papers to describe how the assessor performed the validation activities and how the resultant findings were reached. At a high level, the ROC provides a comprehensive summary of testing activities performed and information collected during the assessment against the PCI PIN Security Requirements and Test Procedures. QPA upon completion of assessment should provide ROC, AOC, with signed AOC reports by organization, audit is complete.
When all Non-Compliance items are fixed and validated, PCI QPA will issue the assessment reports, including Report on Compliance (ROC), Attestation of Compliance (AOC). The assessment is completed when assessed entity sign and accept the AOC report.
