The PCI PIN Standard includes security requirements to protect Personal Identification Numbers (PINs).
The purpose of a PCI PIN Assessment is to assess that organizations are securely managing, processing, and transmitting PIN data during online and offline payment card transactions.
SC2labs provides PCI PIN validation service as a qualified PCI QPA Assessor
certified by the PCI Security Standards Council.
In general, the requirements of the PCI PIN standard must be met by all organizations or its supporting 3rd parties that accept or process transactions from ATMs or point-of-sale terminals on the acquiring side. This applies in particular to banks, payment providers and network operators.
According to the requirements of Card Brands, those service vendors providing Key Injection Facilities (KIF) and Certification Authority are subject to Self-Assessment Questionnaire or a QPA assessment completed by a PCI SSC Qualified Pin Security Assessor (QPA). All acquiring institutions and agents (e.g.), key-injection facilities and certificate processors responsible for PIN transaction processing on the payment card industry participants’ denominated accounts should be required completing a Self-Assessment Questionnaire or complete audit by PCI SSC authorized Qualified Pin Security Assessor (QPA).
Organizations are required to have an onsite assessment conducted by a Qualified PIN Assessor (QPA) every 2 years.
Version 3.1 PCI PIN requirements are organized into 7 logical related groups, referred to as “Control Objectives” which define 33 requirements. These requirements are intended for use by all acquiring institutions and agents responsible for PIN transaction processing on the payment card industry participants’ denominated accounts and should be used in conjunction with other applicable industry standards.
Control Objectives:
1. PINs used in transactions governed by these requirements are processed using equipment and methodologies that ensure they are kept secure.
2. Cryptographic keys used for PIN encryption/decryption and related key management are created using processes that ensure that it is not possible to predict any key or determine that certain keys are more probable than other keys.
3. Keys are conveyed or transmitted in a secure manner.
4. Key-loading to HSMs and POI PIN-acceptance devices is handled in a secure manner.
5. Keys are used in a manner that prevents or detects their unauthorized usage.
6. Keys are administered in a secure manner.
7. Equipment used to process PINs and keys is managed in a secure manner.
https://www.pcisecuritystandards.org/documents/PCI_PIN_Security_Requirements_Testing_v3_1.pdf?agreement=true&time=165504202466