By John Cragg
Security and compliance in the payments ecosystem cannot be underestimated, nor can the complexity of the various security standards be taken lightly. Established standards should always be adhered to, but regulatory compliance is constantly evolving, so navigating it can be a major task. Payment Card Industry (PCI) security standards are intended to outline the multiple security standards and resources set to protect cardholder data throughout the world. Implementing these standards requires specific expertise and knowledge.
We often hear the term PCI DSS which stands for the PCI Data Security Standard. It refers to a set of standards applicable to data centers that process or handle cardholder data, particularly the primary account number.
The PCI DSS does not, however, protect PIN (personal identification number) blocks, so a PIN could still be compromised; hence, specific standards have been developed to protect this critical element. These are the PCI PIN Security Requirements set forth in the unified PCI PIN Standard, which is more stringent than the PCI DSS. PCI PIN Security Requirements are intended for use by all issuers, acquirers, as well as any other companies processing electronic payments and are responsible for PIN transaction processing. Here I'll delve into the PCI PIN Standard and explore how compliant service providers can help financial institutions achieve the standard themselves.
The PCI PIN Standard, issued Jan. 21, 2020, incorporates the PCI PIN Security Requirements, which provides a set of standards for secure management, processing and transmission of PIN data during online and offline card transactions. The requirements ensure a cardholder's four-digit PIN (or six digits in some countries) remains encrypted throughout the whole payments system, so confidentiality is protected at all times. A PIN is the main credential used to identify and authenticate the customer when completing a transaction, and at no point during the payments process should the PIN be exposed.
The PIN is extremely sensitive piece of unique data and, if it is compromised along with associated card details, fraudulent activity can occur, resulting in financial loss. Also, attacks are increasing on unsecured and outdated payment terminals, so the standards are crucial.
PCI PIN Security Requirements outline the procedures and equipment required to achieve the highest level of encryption. One critical element required for securing the encryption of PINs is the use of payment hardware security modules (HSMs), which need to be used and managed in the right way. Payment HSMs are used for functions such as key management and encryption of sensitive data. During each stage of the payments process the PIN is encrypted with a different key. Therefore, the requirements relate to:
First, to become compliant with PCI PIN Security Requirements, you must acquire payment HSMs. General-purpose HSMs do not support the specific cryptographic functions required. Your payment HSM needs to be certified to PCI HSM or FIPS 140-2 Level 3 or higher.
The PCI PIN Security Requirements comprise of 33 requirements, categorized as seven control objectives. To successfully prove PCI PIN compliance, a Qualified PIN Assessor (QPA) will need to conduct an on-site assessment. The onsite assessment generally includes the following:
Using a compliant service provider to host and manage certified payment HSMs can significantly reduce the scope and responsibilities of achieving compliance with PCI PIN Security Requirements. With this, the client saves valuable time, resources and costs, all of which are essential to any financial organization seeking competitive advantage, particularly fintech startups that need a helping hand to enter the hyper-competitive payments landscape.
To be more specific, the benefits of using a PCI PIN certified service include:
It is also important to note that achieving PCI PIN compliance is not a one-off tick-in-the-box activity, but rather a continuous cycle of events. The recertification process happens every 24 months, but throughout the year standards and procedures have to be documented and evidenced.
And what happens if you are not compliant? You risk losing all trust and credibility, both of which are vitally important for established financial institutions and fintechs startups alike. If your business is not compliant, you could also be faced with financial penalties, and future investment may be hard to come by. Is it worth cutting corners? Certainly not.
John Cragg is CEO of MYHSM, a provider of payment HSM as a service. If you have a question you would like to ask John about MYHSM, Payment HSM as a Service or his role, please email firstname.lastname@example.org.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next