Do You Need to Adhere to PCI PIN Security Requirements?

PCI SSF software security framework

Few writings around the PCI PIN compliance subject illustrate whether a company needs to adhere to the PCI PIN security requirements. In principle, any organization across the cardholder PIN processing lifecycle must comply to PCI PIN standards. Here is helping you understand if you must.

Scope of PCI PIN Compliance

Generally, companies that must comply to the PCI PIN security requirements are the ones that manage or utilize devices that process and accept cardholder PINs. These companies can be related to institutions that have installed ATMs, Point of Sale (POS) terminals or payment kiosks. In addition, organizations that provide key management services, especially in the form of encryption support or injection facilities, must pay close attention to their PCI PIN compliance status. Equally important are the companies using asymmetric cryptography via remote distribution and certificate authorities.

But this is really not the answer you were looking for. Do you need to adhere to PCI PIN security requirements? The answer to this question must be neat, accurate, and instructive – knowledge that will help you understand if you should be mindful of the seven control objectives that specify 33 security and procedural requirements for you to be compliant to the PCI PIN requirements.

Thus, we have detailed down on each category of the entity type to help you confirm if you must adhere to the PCI PIN security requirements.

PIN Acquirer Payment Processing – POS

Point of Sale (POS) device is a simple, compact processing system for accepting card payments in retail or trade circumstances. Companies that design and develop such portable POS devices fall under the PIN acquirer payment processors list. Such companies must adhere to the PCI PIN security requirements for compliance. Many leading banks across the globe provide such POS devices as a part of their merchant and gateway solutions. Few names are HDFC, ICICI, Paytm, Verifone, etc. So, if your company uses such POS devices that process cardholder PIN, you must adhere to the PCI PIN security requirements.

PIN Acquirer Payment Processing – ATM

An Automated Teller Machine (ATM) is an electronic banking machine that allows users to complete basic and marginally advanced payment transactions by reading and processing the cardholder PIN for security. Such developers of ATMs use a PIN translation concept in the systems that ensure point to point encryption. After reaching the ATM interface at the acquiring bank Switch, a payment card PIN is encrypted into a new output key through a Hardware Security Module (HSM). This use of an HSM in an ATM system mandates the PCI PIN compliance for an ATM developer. FIS, Diebold and NCR Corporation are a few popular names that develop ATM machines.

Remote Key Distribution Using Asymmetric Keys – Operations

While POS and ATMs are hardware devices that are commonly seen processing cardholder PIN, the backend operations are carried out by entities for key distribution. Such processes have helped banks replace expensive human efforts with network verified transactions. These are new methods provided by operation specialists that use public key cryptography to load keys remotely. Such entities have been able to install new keys by sending them in a coded format under a previously installed Key Encryption Keys (KEK). Such operations are held with key-usage restrictions for different cryptographic architectures such as encrypting data, encrypting keys, or message authentication codes. In practice, if your company is involved in the ATM Remote Key Loading (ATM RKL) process to securely transport the Terminal Master Keys (TMKs) from the ATM Host to the ATM locations based on asymmetric encryption (EPP Key), you must adhere to the PCI PIN security requirements.

Certification and Registration Authority Operations

An encryption key lifecycle is the process that conveys the cardholder PIN securely. However, in a pre-operational phase where the key is not yet generated for cryptographic process, the user registration considers a Registration Authority to create an association with security level that generates a secret parameter through HMAC (keyed-hash message authentication code), PIN or password. Service providers with Public Key Infrastructure, authentication servers, digital tokens and secured SMS messages fall under this category and must comply to the PCI PIN security requirements.

Key Injection Facilities

Card processing terminals won’t function without the injection of encryption keys dedicated to the various payment brands. The Key Injection Facility is the controlled system for electronic payment terminals (POIs) with stringent security measures made with tools and defined operating procedures. If your company provides such Key Injection facilities for any kind of payment card processing terminal such as ID Tech, Ingenico, Verifone or HDFC, you must adhere to the PCI PIN security requirements.

Other Entities

As the world evolves with digital innovation, so does the payments landscape. With breakthroughs in technologies like cloud and IoT, access to payment processing is changing rapidly. Such is the scale that there is a new feature to be seen every day. To keep the security levels upright, PCI SSC has not limited the scope of the PCI PIN compliance requirements. It briefly covers organizations that manage, process, or transmit cardholder PIN data. So, even if a company doesn’t fall under any one category as listed above but exclusively relates to a third-party relationship with an entity that participates in the PIN processing lifecycle, must as well adhere to the PCI PIN security requirements. For instance, a smartwatch developer that seeks to incorporate card payment using electronic sensing might have to comply to the PCI PIN standards.

Prajwal Ramakrishne Gowda
Prajwal is working as a Sr. Consultant and Lead Trainer with SISA.