Image Image Image Image Image Image Image Image Image

PCI SSC – PCI PIN

The Payment Card Industry PIN Security Standard1 (PCI PIN) contains a complete set of requirements for the secure management, processing and transmission of personal identification number (PIN) data during online and offline payment card transaction processing at ATMs and attended and unattended point-of-sale (POS) terminals. These PIN Security Requirements are based on the industry standards referenced in the “PIN Security Requirements – Technical Reference” section of the document.

PCI PIN

  • Identifies minimum security requirements for PIN-based interchange transactions.
  • Outlines the minimum acceptable requirements for securing PINs and encryption keys.
  • Assists all retail electronic payment system participants in establishing assurances that cardholder PINs will not be compromised.
PCI PIN Control Objectives:
The 32 requirements presented in the document are organized into seven logically related groups, referred to as “Control Objectives.” These requirements are intended for use by all acquiring institutions and agents responsible for PIN transaction processing on the payment card industry participants’ denominated accounts and should be used in conjunction with applicable industry standards.
PCI PIN Additional Requirements
PCI PIN has two ‘Annexes’, which outline specific requirements (in addition to the initial 32) for entities that perform certain cryptographic keying operations:
• Annex A is for:
o Entities involved in the implementation of symmetric key distribution using asymmetric keys (remote key distribution) or those entities involved in the operation of Certification Authorities for such purposes, see Normative Annex A.
• Annex B is for:
o Entities that operate key-injection facilities for the injection of keys (KEKs, PEKs, etc.) used for the acquisition of PIN data.

1Reference: https://www.pcisecuritystandards.org/documents/PCI_PIN_Security_Requirements.pdf

Who Must Comply with PCI PIN?

All PIN acquiring organizations and their sponsored agents that process Visa cardholder PIN data and Encryption Service Organizations (ESO) must comply with the PCI PIN Security Requirements, PCI Point of Interaction Modular Security Requirements, Visa’s PIN Entry Device (PED) requirements and TDES mandates. All organizations must perform appropriate due diligence to ensure compliance. However, only entities identified as PIN Program participants must submit compliance validation documentation to Visa.
Refer to your sponsoring entity for specific requirements. Additionally, here are links to Visa’s site that may be helpful: