preloader
Information Quality
Information Quality

PCI PIN /

IF THE PIN

is the primary credential used to identify and authenticate the customer when completing a transaction…

it is a unique and extremely sensitive data that must be protected.

Have you ever wondered what security measures your institution has in place to secure the PIN of users' cards when they pay at a supermarket, in a restaurant or make withdrawals at an ATM?

Is your PIN secure? How is the transmission? What security measures have been implemented?. The PIN (card identification number) is a unique and extremely sensitive piece of data that, if compromised with the associated card details, can result in fraudulent activity leading to financial loss.

This is what PCI PIN Security Requirements does. It is a PCI standard that covers PIN security for online and offline payment transactions at ATMs and point-of-sale (POS) terminals, allowing you to manage the secure processing and transmission of PINs.

PCI PIN Security Requeriments

ATMs more than just providing cash and enabling transactions should provide value and confidence to your customers.

As an electronic device, the Automated Teller Machine (ATM) allows you to make financial transactions more convenient and reliable for your customers. They are machines that deliver and receive money, that work activated by a card and a personal secret code, that identify the owner of the account and therefore allow users to complete basic and marginally advanced payment transactions by reading and processing the PIN (4 digits) of the card holder for security.

At ATMs, once the user enters the PIN, it is encrypted and sent to the card issuing bank. On the PIN's way to the issuing bank it is decrypted and encrypted with the appropriate keys at each hop until it reaches the issuer.

Catos del PIN, llaves de cifrado

What are the objectives of PCI PIN?

  • Identify the minimum security requirements for PIN-based exchange transactions.
  • Describe the minimum acceptable requirements for securing PIN data and encryption keys.
  • Assist all participants in the payment system in establishing measures to ensure that the PIN is not compromised.

Stakeholders involved in PCI PIN compliance

Who is PCI PIN compliant?

Businesses that must comply with PCI PIN security requirements are those that manage or use devices that process and accept cardholder PINs:

  • The PCI PIN standard is mandatory for all acquirers and those responsible for processing payment card PIN transactions for PCI SSC branded cards (VISA, MasterCard, AMEX, Discover and JCB).
  • These companies may be related to institutions that have installed ATMs, Point of Sale (POS) terminals or payment kiosks.
  • Organizations that provide key management services, especially in the form of encryption support or injection facilities, should pay close attention to their PCI PIN compliance status.
  • Companies using asymmetric cryptography through certification authorities and remote distribution (service providers).
requisitos de seguridad del PIN de PCI

If POS is part of the business solution and the gateway to reach customers to accept card payments...

must comply with PCI PIN security requirements. The purpose of a PIN assessment is to evaluate whether an organization is securely delivering PIN encryption on its transactions, such as POS devices, where customers enter their PINs.

A PIN is the main credential used to identify and authenticate the customer when completing a transaction...

and at no time during the payment process should the PIN be exposed. The PCI PIN security requirements describe a set of standards for the secure management, processing and transmission of PIN (Personal Identification Number) data during online and offline card transactions.

The requirements ensure that the cardholder's 4-digit PIN remains encrypted across all payment systems, so confidentiality must be protected at all times.

Requisitos de seguridad PCI PIN

What are the risks covered by PCI PIN?

These are all those arising from the management, processing and transmission of payment card PINs during the processing of online and offline transactions through ATMs and POS.

HOW DO WE DO IT?

Cumplimiento y definición del alcance en PCI PIN
01

Compliance and definition of SCOPE:

The first step in performing a PIN assessment is to efficiently determine the scope by identifying all locations where operations supporting the transaction process are performed in the defined stakeholder environment and to identify all encryption keys used for PIN acquisition and processing.

GAP, PCI PIN
02

GAP Analysis

The first step to comply with PCI PIN requirements is to perform an analysis of the company's processes involving PIN, key injection and encryption key management processes, etc.

The GAP evaluates the organization's processes, roles involved and technologies and compares them with the requirements of the PCI PIN standard in order to identify the existing gap in order for the organization to define action plans to close it.

03

Implementation of the Action Plan

In the implementation of the action plan, the organization closes the findings in processes, technology and execution of activities by the personnel involved.

IQ-Information Quality supports the closure process with the support of our experts with recommendations to ensure that the implemented by the organization meets the requirements of the standard.

04

PCI PIN Compliance Certification Audit

Information Quality as QPA, in the audit process verifies, through technical and procedural reviews, that the requirements established in PCI PIN are being met.

The AOC (Attestation of Compliance) and the ROC (Report on Compliance) of the PCI PIN standard are delivered. If findings are identified, a deadline for their closure is defined and they are validated to proceed to the issuance of compliance documents.

How is the PCI PIN standard organized?

The standard was created in September 2011, and sets out, divided into 7 control objectives, 32 security requirements that acquiring institutions and those responsible for processing payment card PIN transactions must meet.

Qualified Security Assessor
QPA Program

¿PCI DSS ó PCI PIN?

PCI DSS applies to all entities that store, process or transmit PAN (Personal Account Number) card data. This standard applies to merchants and service providers: issuers, processors, call centers, payment gateways, SOCs, data centers and others.

PCI PIN involves all entities that acquire, process or transmit the PIN. It includes acquirers and service providers involved with key injection or certificate authorities. The PCI PIN standard does not apply to merchants or issuers.

Your mission:

Start your PCI,PIN compliance evaluation NOW by starting to protect your customers' information

I ACCEPT THE MISSION!