mobile payment with a credit card

Navigating PCI PIN Security Requirements

What are PCI PIN Security Requirements and why do you need to adhere to them?

PCI PIN Security Requirements outline a set of standards for secure management, processing, and transmission of PIN  data during online and offline card transactions. The requirements ensure a cardholder’s 4-digit PIN (or 6-digits in some countries) remains encrypted throughout the entire payment system, so confidentiality is protected at all times. The PIN is a key credential used to identify and authenticate the customer during a transaction, and it should not be exposed during payment processing.

The PIN is an extremely sensitive piece of unique data and if compromised along with associated card details, fraudulent activity can occur resulting in financial loss. There is also an increasing number of attacks on unsecure and outdated payment terminals, so adhering to standards is crucial.

PCI PIN Security Requirements outlines the procedures and equipment required to achieve the highest level of encryption. One critical element required for securing the encryption and PIN’s is the use of Payment HSMs, and these need to be used and managed in the right way. 

The Role of Payment HSMs in PCI PIN Compliance

Payment HSMs are used to protect the life cycle of cryptographic keys and to execute encryption and decryption procedures during entire payment transactions. At each stage of the payments process the PIN is encrypted with a different key.  

The PCI PIN Security Requirements primarily focus on the following aspects: 

  • Key management and Cryptographic Key Handing: cryptographic keys used for PIN encryption and decryption. Ensuring these are handled in an approved secure manner, including generating, rotating and destroying the keys. 
  • Security Event Detection and Audit: Proper procedures in place to detect and manage security events such as compromised keys. These procedures, roles and responsibilities must be documented, recorded, regularly reviewed and audited.

How to Become PCI PIN Compliant 

Firstly, in order to become compliant with PCI PIN Security Requirements you have to acquire Payment HSMs and it’s important to note general purpose HSMs do not support the specific cryptographic functions required required in payment world. Your Payment HSM must be certified to PCI PTS HSM v3 or FIPS 140-2 Level 3 or higher.  

The PCI PIN Security Requirements compromise of 33 requirements, categorized under 7 control objectives. To successfully prove PCI PIN compliance, an onsite assessment will need to be conducted by a Qualified PIN Assessor (QPA).  

The onsite assessment typically incudes 

  • Gap analysis: Assessing the existing procedures and processes in place, this will include reviewing your environment, equipment and security controls.
  • Remediation: Addressing any gaps identified by the QPA to ensure compliance.
  • PCI PIN assessment: Onsite review to validate PIN requirements and can include interviews, review of network diagrams, processes, policies and procedures.
  • Final Review and Reporting: Internal QA review process before issuing the PCI PIN Report on Compliance (ROC) and Attestation of Compliance (AOC) which can then be shared with other entities. 

How Can Utimaco Help: The Importance of Payment HSMs in Achieving Compliance 

Payment HSMs are central to achieving PCI PIN compliance, as they provide the necessary cryptographic support required by the standards.

Business that stores, processes, or transmits cardholder data must adhere to the mandatory Payment Card Industry Data Security Standards (PCI-DSS) requirements. All Utimaco devices adhere and are certified to help you pass these requirements.  The Utimaco Payment HSMs are PCI PTS HSM v3 certified. The Utimaco C3 key loading device is also PCI PTS certified. Dual authorization is used to ensure security when setting up HSMs. Utimaco is regularly assessed by security assessors to ensure compliance with PCI PIN security.

Downloads

Downloads

How can we help you?

Talk to one of our specialists and find out how Utimaco can support you today.
You have selected two different types of downloads, so you need to submit different forms which you can select via the two tabs.

Your download request(s):

    By submitting below form you will receive links for your selected downloads.

    Your download request(s):

      For this type of documents, your e-mail address needs to be verified. You will receive the links for your selected downloads via e-mail after submitting below form.

      About Utimaco's Downloads

      Visit our Downloads section and select from resources such as brochures, data sheets, white papers and much more. You can view and save almost all of them directly (by clicking the download button).

      For some documents, your e-mail address needs to be verified. The button contains an e-mail icon.

      Download via e-mail

       

      A click on such a button opens an online form which we kindly ask you to fill and submit. You can collect several downloads of this type and receive the links via e-mail by simply submitting one form for all of them. Your current collection is empty.