mobile payment with a credit card

Navigating PCI PIN Security Requirements

What are PCI PIN Security Requirements and why do you need to adhere to them?

PCI PIN Security Requirements outline a set of standards for secure management, processing, and transmission of PIN  data during online and offline card transactions. The requirements ensure a cardholder’s 4-digit PIN (or 6-digits in some countries) remains encrypted throughout the entire payment system, so confidentiality is protected at all times. The PIN is a key credential used to identify and authenticate the customer during a transaction, and it should not be exposed during payment processing.

The PIN is an extremely sensitive piece of unique data and if compromised along with associated card details, fraudulent activity can occur resulting in financial loss. There is also an increasing number of attacks on unsecure and outdated payment terminals, so adhering to standards is crucial.

PCI PIN Security Requirements outlines the procedures and equipment required to achieve the highest level of encryption. One critical element required for securing the encryption and PIN’s is the use of Payment HSMs, and these need to be used and managed in the right way. 

The Role of Payment HSMs in PCI PIN Compliance

Payment HSMs are used to protect the life cycle of cryptographic keys and to execute encryption and decryption procedures during entire payment transactions. At each stage of the payments process the PIN is encrypted with a different key.  

The PCI PIN Security Requirements primarily focus on the following aspects: 

  • Key management and Cryptographic Key Handing: cryptographic keys used for PIN encryption and decryption. Ensuring these are handled in an approved secure manner, including generating, rotating and destroying the keys. 
  • Security Event Detection and Audit: Proper procedures in place to detect and manage security events such as compromised keys. These procedures, roles and responsibilities must be documented, recorded, regularly reviewed and audited.

How to Become PCI PIN Compliant 

Firstly, in order to become compliant with PCI PIN Security Requirements you have to acquire Payment HSMs and it’s important to note general purpose HSMs do not support the specific cryptographic functions required required in payment world. Your Payment HSM must be certified to PCI PTS HSM v3 or FIPS 140-2 Level 3 or higher.  

The PCI PIN Security Requirements compromise of 33 requirements, categorized under 7 control objectives. To successfully prove PCI PIN compliance, an onsite assessment will need to be conducted by a Qualified PIN Assessor (QPA).  

The onsite assessment typically incudes 

  • Gap analysis: Assessing the existing procedures and processes in place, this will include reviewing your environment, equipment and security controls.
  • Remediation: Addressing any gaps identified by the QPA to ensure compliance.
  • PCI PIN assessment: Onsite review to validate PIN requirements and can include interviews, review of network diagrams, processes, policies and procedures.
  • Final Review and Reporting: Internal QA review process before issuing the PCI PIN Report on Compliance (ROC) and Attestation of Compliance (AOC) which can then be shared with other entities. 

How Can Utimaco Help: The Importance of Payment HSMs in Achieving Compliance 

Payment HSMs are central to achieving PCI PIN compliance, as they provide the necessary cryptographic support required by the standards.

Business that stores, processes, or transmits cardholder data must adhere to the mandatory Payment Card Industry Data Security Standards (PCI-DSS) requirements. All Utimaco devices adhere and are certified to help you pass these requirements.  The Utimaco Payment HSMs are PCI PTS HSM v3 certified. The Utimaco C3 key loading device is also PCI PTS certified. Dual authorization is used to ensure security when setting up HSMs. Utimaco is regularly assessed by security assessors to ensure compliance with PCI PIN security.

Descargas

Descargas

¿En qué podemos ayudarle?

Hable con uno de nuestros especialistas y descubra cómo Utimaco puede ayudarle hoy mismo.
Ha seleccionado dos tipos diferentes de Download, por lo que necesita presentar formularios diferentes que puede seleccionar a través de las dos pestañas.

Su(s) solicitud(es) de Download:

    Al enviar el siguiente formulario, recibirá enlaces a las descargas seleccionadas.

    Su(s) solicitud(es) de Download:

      Para este tipo de documentos, es necesario verificar su dirección de correo electrónico. Recibirá los enlaces a las Download seleccionadas por correo electrónico después de enviar el siguiente formulario.

      Descargas de Utimaco

      Visite nuestra sección de descargas y seleccione recursos como folletos, fichas técnicas, libros blancos y mucho más. Puede ver y guardar casi todos ellos directamente (pulsando el botón de descarga).

      Para algunos documentos, es necesario verificar su dirección de correo electrónico. El botón contiene un icono de correo electrónico.

      Download via e-mail

      Al hacer clic en dicho botón se abre un formulario en línea que le rogamos rellene y envíe. Puede recopilar varias descargas de este tipo y recibir los enlaces por correo electrónico simplemente enviando un formulario para todas ellas. Su colección actual está vacía.