A Thing
The Green SheetGreen Sheet

The Green Sheet Online Edition

November 23, 2020 • Issue 20:11:02

Navigating PCI PIN security requirements

By John Cragg

Security and compliance in the payments ecosystem cannot be underestimated, nor can the complexity of the various security standards be taken lightly. Established standards should always be adhered to, but regulatory compliance is constantly evolving, so navigating it can be a major task. Payment Card Industry (PCI) security standards are intended to outline the multiple security standards and resources set to protect cardholder data throughout the world. Implementing these standards requires specific expertise and knowledge.

We often hear the term PCI DSS which stands for the PCI Data Security Standard. It refers to a set of standards applicable to data centers that process or handle cardholder data, particularly the primary account number.

The PCI DSS does not, however, protect PIN (personal identification number) blocks, so a PIN could still be compromised; hence, specific standards have been developed to protect this critical element. These are the PCI PIN Security Requirements set forth in the unified PCI PIN Standard, which is more stringent than the PCI DSS. PCI PIN Security Requirements are intended for use by all issuers, acquirers, as well as any other companies processing electronic payments and are responsible for PIN transaction processing. Here I'll delve into the PCI PIN Standard and explore how compliant service providers can help financial institutions achieve the standard themselves.

Why adhere to PCI PIN Security Requirements?

The PCI PIN Standard, issued Jan. 21, 2020, incorporates the PCI PIN Security Requirements, which provides a set of standards for secure management, processing and transmission of PIN data during online and offline card transactions. The requirements ensure a cardholder's four-digit PIN (or six digits in some countries) remains encrypted throughout the whole payments system, so confidentiality is protected at all times. A PIN is the main credential used to identify and authenticate the customer when completing a transaction, and at no point during the payments process should the PIN be exposed.

The PIN is extremely sensitive piece of unique data and, if it is compromised along with associated card details, fraudulent activity can occur, resulting in financial loss. Also, attacks are increasing on unsecured and outdated payment terminals, so the standards are crucial.

PCI PIN Security Requirements outline the procedures and equipment required to achieve the highest level of encryption. One critical element required for securing the encryption of PINs is the use of payment hardware security modules (HSMs), which need to be used and managed in the right way. Payment HSMs are used for functions such as key management and encryption of sensitive data. During each stage of the payments process the PIN is encrypted with a different key. Therefore, the requirements relate to:

  • Key management and cryptographic keys used for PIN encryption and decryption. Ensuring these are handled in an approved secure manner, including generating, storing and destroying the keys.
  • Procedures in place to detect and manage security events such as compromised keys. These procedures, roles and responsibilities must be documented, recorded, regularly reviewed and audited.

How do you become PCI PIN compliant?

First, to become compliant with PCI PIN Security Requirements, you must acquire payment HSMs. General-purpose HSMs do not support the specific cryptographic functions required. Your payment HSM needs to be certified to PCI HSM or FIPS 140-2 Level 3 or higher.

The PCI PIN Security Requirements comprise of 33 requirements, categorized as seven control objectives. To successfully prove PCI PIN compliance, a Qualified PIN Assessor (QPA) will need to conduct an on-site assessment. The onsite assessment generally includes the following:

  • Gap analysis: Assessing the existing procedures and process in place. This will include reviewing your environment, equipment and security controls. Remediation: Remediating any gaps outlined by the QPA.
  • PCI PIN assessment: Conducting an onsite review to validate PIN requirements. This can include interviews, review of network diagrams, processes, policies and procedures.
  • Internal review: Completing an internal QA review process before issuing the PCI PIN Report on Compliance (ROC) and Attestation of Compliance (AOC), which can then be shared with other entities.

How can compliant service providers help?

Using a compliant service provider to host and manage certified payment HSMs can significantly reduce the scope and responsibilities of achieving compliance with PCI PIN Security Requirements. With this, the client saves valuable time, resources and costs, all of which are essential to any financial organization seeking competitive advantage, particularly fintech startups that need a helping hand to enter the hyper-competitive payments landscape.

To be more specific, the benefits of using a PCI PIN certified service include:

  • Simplified audits: The AOC from the service provider will dramatically reduce auditor's questions that must be answered by the security team, so audits will become less onerous.
  • Specialized skills to enhance security: Payment HSM skills are specialized and difficult to maintain when only rarely practiced, so outsourcing the HSM security to an expert service that works with HSMs every day can enhance security.
  • Shorter time to market: The manual processes for configuring an HSM, establishing a security team, writing the policies and procedures required for certification and audit are all time consuming. Using a service will avoid these so the time to market of the payment solution can be substantially reduced.

It is also important to note that achieving PCI PIN compliance is not a one-off tick-in-the-box activity, but rather a continuous cycle of events. The recertification process happens every 24 months, but throughout the year standards and procedures have to be documented and evidenced.

And what happens if you are not compliant? You risk losing all trust and credibility, both of which are vitally important for established financial institutions and fintechs startups alike. If your business is not compliant, you could also be faced with financial penalties, and future investment may be hard to come by. Is it worth cutting corners? Certainly not. end of article

John Cragg is CEO of MYHSM, a provider of payment HSM as a service. If you have a question you would like to ask John about MYHSM, Payment HSM as a Service or his role, please email info@myhsm.com.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Prev Next
A Thing