The PCI PIN Security Requirements must be met by all institutions which are active in acquiring PIN transactions from ATMs or POS devices, including acquirers, processors, and network operators.
The standard’s 32 individual questions include extensive requirements for hardware device properties, for example the tamper resistance, quality of the random number generator used for key generation, approved cryptographic methods, etc. The PCI PIN Security requirements for well defined, documented, and used processes cover the entire life cycle of all keys used in connection with PIN encryption or translation: key generation, receipt or transmission, storage, loading and destruction. Detailed procedures for all of these events must be available and must be followed at any time. This also includes the manual logging of each phase of a key’s life cycle.
The standard has also a number of rules related to hardware device management, including the tracking of any HSM, ATM EPP, and POS for their whole lifespan. Your institution shall always know where and in which status the secure cryptographic devices are, regardless of the number of the devices, be it 5 HSMs, 50 ATMs, or 500,000 POS terminals. The two normative annexes of the standard provide detailed requirements for key injection facilities and for symmetric key distribution using asymmetric techniques.
All in all, this standard’s attention to details leaves very little margin for errors compared to PCI DSS. Generally, a mistake in key management has a large impact that scales directly with the number of ATM EPPs or POS terminals involved.
Our long-standing experience in the field of PCI PIN Security allows us to provide your company with workshops, consultancy, and gap analysis services to help you meet all of the standard’s requirements.
Useful Links
The PCI PIN Security Standard – catalogue of all requirements of the PIN Security Standard
Visa Europe PIN Security Infos – detailed information from Visa Europe regarding PIN Security
News for this Standard
Newsletter 2/2014
New awareness workshops in 2015 In 2015 we are once again offering a wide range of awareness workshops for the PCI DSS and PA-DSS standards. Get in touch with [...]