PCI PIN 3.0 and the PCI QPA program

New requirements for PIN security

Oct 15, 2020

Many of our clients are surprised to learn that in addition to their annual Payment Card Industry (PCI) Data Security Standard (DSS) compliance requirements, there are additional requirements for protecting the debit PINs (personal identification number) they process as well as associated cryptographic key management. These requirements are commonly referred to as PCI PIN security. 

The PCI PIN program outlines the security and procedural requirements for acquiring financial institutions (especially issuing banks and credit unions) and all organizations that manage or deploy PIN acceptance devices that process and accept cardholder PINs at ATMs, POS terminals or kiosks (e.g. encryption support organizations and key injection facilities). 

In the past, differing standards, such as the VISA PIN Security Program and ANSI X9 TR-39, made understanding and complying with disparate PIN security requirements a challenge. Additionally, there were limited requirements to become a Certified TG-3 Auditor, leading to varying levels of diligence among auditors. As a result of industry feedback, the PCI Security Standards Council (SSC) published version 3.0 of the PCI PIN security requirements in August 2018, integrating the predecessor standards into one common standard known as PCI PIN 3.0 and establishing the PCI Qualified PIN Assessor (QPA) program.

PCI PIN 3.0 requirements

PCI PIN 3.0 focuses on the secure management, processing and transmission of PIN data during online and offline payment card transaction processing. Seven control objectives specify 33 requirements for the secure handling and management of keys and equipment used in these transactions:

  • Control Objective 1: PINs used in transactions governed by these requirements are processed using equipment and methodologies that ensure they are kept secure
  • Control Objective 2: Cryptographic keys used for PIN encryption, decryption and related key management are created using processes that ensure that it is not possible to predict any key or determine that certain keys are more probable than other keys
  • Control Objective 3: Keys are conveyed or transmitted in a secure manner
  • Control Objective 4: Key-loading to Hardware Security Modules (HSMs) and Point of Interaction (POI) PIN-acceptance devices is handled in a secure manner
  • Control Objective 5: Keys are used in a manner that prevents or detects their unauthorized usage
  • Control Objective 6: Keys are administered in a secure manner
  • Control Objective 7: Equipment used to process PINs and keys is managed in a secure manner

PCI PIN compliance requirements are determined by the payment brands, networks and acquirers. This includes requirements for the use of QPAs as well as frequency and reporting requirements, such as a PIN Attestation of Compliance (AOC). 

Companies required to comply include all organizations that manage or deploy PIN acceptance devices that process and accept cardholder PINs at ATMs, POS terminals or kiosks. Also included are organizations that support these operations via key management, including encryption support organizations, key injection facilities and all organizations that perform key management activities in support of PIN processing. This includes companies using asymmetric cryptography via remote distribution and certificate authorities.

What is the PCI QPA program?

The PCI SSC recently launched a program to train and certify security professionals based on the PCI PIN Security Standard. The PCI QPA program provides a new, unified standard certification and list of approved assessor companies for assessing PIN security. RSM was recently certified as a PCI QPA and is officially listed on the PCI website. QPA companies can perform your PIN assessment, Report on Compliance (ROC) and Attestation of Compliance (AOC). 

The PCI PIN ROC is a detailed report produced through an onsite assessment as part of the PCI PIN validation process, providing details of your organization’s environment, assessment methodology and compliance status for each control requirement. The PCI PIN AOC includes details on the assessed organization, compliance status and a summary of the assessment—with a formal signoff by the QPA.

The PCI program has undergone these changes to keep up with evolving demand, streamline processes and ultimately provide robust protection for payment card data. You must ensure that your processes have kept pace with continued revisions to the framework to remain compliant with the new standard.