What is PCI PIN?

In this new article of the series What is it? a brief introduction to the standard will be made Payment Card Industry (PCI) PIN Security (PCI PIN), focused on the protection of the personal identification number (PIN) in face-to-face transactions.

Introduction

The standard Payment Card Industry (PCI) PIN Security (or PCI PIN) is a security standard that establishes the requirements for the secure management, processing and transmission of personal identification number (Personal Identification Number – PIN) during the processing of online and offline payment transactions at ATMs and unattended point-of-sale (POS) terminals. This document is part of the family of standards PCI PIN Transaction Security (PTS) where they are also located PCI HSM (Hardware Security Module) and PCI POI (Point of Interaction).

Family of PCI PTS standards (PCI HSM, PCI PTS POI and PCI PIN)

The objectives of this standard are:

• Identify minimum security requirements for PIN-based exchange transactions.
• Describe the minimum acceptable requirements for securing PIN data and encryption keys.
• Assist all participants in the retail payment system in establishing guarantees that cardholder PIN data is not compromised.

It is currently in the version 3.1 published in March 2021.

Origin

Like the vast majority of standards currently managed by the PCI Security Standards Council (PCI SSC), the origin of the PCI PIN standard comes from the security program PIN VISA.  In 1995 Visa developed its own set of security controls which it called Visa PIN Security Requirements and whose fulfillment was framed within the program PIN Security and Key Management, in which the types of entities that were to comply with the program and its requirements were listed, including the form of compliance reporting (using a self-assessment questionnaire (PCI PIN SAQ) or by an on-site review by an approved auditor).

In 2011 the PCI Security Standards Council (PCI SSC) adopted as a reference the security requirements of Visa PIN to develop the first version of the PCI PIN standard, called PCI PIN Security Requirements. This new standard was supported by ANSI (American National Standards Institute) who, through the working group X9.24, already had enough experience in the field of standardization of security controls for the protection of financial transactions, especially with the standards ANSI X9.24-1, ANSI X9.24-2 and ANSI X9.24-3 (Retail Financial Services Symmetric Key Management). From that moment all payment brands associated with the PCI SSC (Visa, Mastercard, AMEX, JCB and Discover) began to use this standard for the protection of the PIN data of their cards.

The Version 2.0 from PCI PIN Security Requirements was published in 2014. In August 2018, the PCI SSC released version 3.0 of the standard. Likewise, in that year Visa discontinued the use of self-assessment questionnaires (SAQ) for reporting compliance with PIN security controls.

Finally, as of 2019 formal PCI PIN compliance assessments must be developed exclusively by qualified PIN advisors (Qualified PIN Assessors– QPA).

Who must comply with PCI PIN?

The PCI PIN standard is mandatory compliance for all acquiring institutions and agents responsible for processing PIN transactions of PCI SSC branded cards (VISA, MasterCard, AMEX, Discover and JCB) including key injection services (Key Injection Facilities – KIF) and distribution of symmetric keys using asymmetric keys (remote distribution of keys) or for those entities offering operating services of certification authorities (Certification Authorities – CA) and should be used in conjunction with other applicable industry standards (PCI DSS, PCI P2PE, etc.).

However, each of the payment brands manages its own compliance programs. For example, the program Visa PIN It remains valid from the management perspective of the entities subject to compliance, but instead of using Visa's own security requirements it is based on the controls of the PCI PIN standard.

Note: On 1 October 2023, the Visa PIN security programme ceased to be valid. More information in the article «Visa reports that its PIN security programme ended on 1 October 2023‘.

How is the PCI PIN standard organized?

In the latest version of the standard (3.0), the PCI SSC has chosen to combine the security requirements (‘PIN Security Requirements’) and test procedures (‘Test Procedures’) into a single document, as separate documents had been kept in previous versions. In this way, the standard was renamed as PIN Security Requirements and Testing Procedures.

Regarding this version, one of the most representative changes is in the reorganisation of requirements into three main groups, each subdivided into ‘Control Objectives’:

1. Transaction Processing Operations: Formerly referred to as "PIN Security Requirements", this set of controls applies to any entity involved in purchasing and/or processing PIN-based transactions.
2. Normative Annex A – Symmetric Key Distribution using Asymmetric Keys: Specific requirements for acquiring entities involved in the implementation of symmetric key distribution processes using asymmetric keys (remote key distribution) or for those entities that offer certification authorities (CA) operation services used for these purposes. Its implementation depends on the tasks performed by the entity concerned:
   • In the case of an acquiring entity that also performs remote key distribution functions, the controls of the ‘Transaction Processing Operations’ group and the controls in Annex A shall apply to it.
   • In the case of service providers or manufacturers of point-of-interaction (POI) or HSM devices operating key distribution systems acting on behalf of an acquiring entity, they must comply with all the controls in Annex A.
3. Normative Annex B – Key-Injection Facilities: Requirements for entities operating acquirer key injection services on devices used for PIN data capture.
4. Normative Annex C – Minimum and Equivalent Key Sizes and Strengths for Approved Algorithms: Describing algorithms and key lengths that can be used in PIN transactions, aligned with the standard NIST SP 800-57 Part 1.

At this point, it should be noted that the standard PCI PIN specifies controls on keys linked to processes that specifically affect the PIN. Any key used for the protection of other card data (PAN, for example) or used for MAC functionalities is outside the scope of the document.

On the other hand, depending on the tasks performed, each entity may be subject to the applicability of requirements from different sections or to the full standard. Appendix A of the standard includes a new matrix indicating the applicability of each requirement according to the work carried out.

The list of changes between version 3.0 and 3.1 can be found in the document PIN Security Requirements Modifications and Testing Procedures: Summary of Changes.

Deadlines for the withdrawal of fixed 3DES keys (TDES) for PIN encryption and support for PIN block format 4:

In this version of the standard the following deadlines have been stipulated for the use of 3DES fixed keys (TDES) used for PIN encryption and the use of PIN block format 4 (ISO PIN block format 4):

• From 1 January 2023 all 3DES fixed keys (TDES) used for PIN encryption at points of interaction (POI) and host-to-host connections will not be allowed.

With the release of the PCI PIN v3.1 standard in March 2021, the stipulated dates for ISO Format 4 PIN Block (AES) support have been suspended until further notice.  

Deadlines for the implementation of key blocks for symmetric encryption keys:

Similarly, the following dates have been defined for symmetric encryption keys to be handled in “key blocks” (additional controls to protect the integrity of encryption keys).

• Phase I: Key blocks functionality must be implemented for all internal connections and key storage within service provider environments (this may include all applications and databases connected to HSM). Effective Date: 1 June 2019.
• Phase II: Key blocks functionality must be implemented for all external connections to associations and networks. Effective Date: 1 January 2023.
• Phase III: Key blocks should be extended to all merchant hosts, point-of-sale terminals (POS/TPVs) and ATMs. Effective Date: 1 January 2025.

More information about Key blocks can be found in the article «The Ultimate Guide to Cryptographic Key Blocks‘.

Who can perform a formal PCI PIN compliance assessment?

Formal PCI PIN compliance assessments can only be performed by PCI PIN approved advisors (Qalified PIN Assessor – QPA).

The list of approved advisors can be found on the PCI SSC website: https://www.pcisecuritystandards.org/assessors_and_solutions/qpa_assessors

Other additional considerations

Finally, the following additional criteria have been established:

• All entities affected by the standard must maintain a inventory of all cryptographic keys used in the environment, including its name, its use, the algorithm used and its length. Similarly, a Schematic Network Flow Diagram to facilitate the review of safety requirements.
• The use of personal computers for key loading, where secrets in clear text and/or private keys and/or their components may exist in unprotected memory outside the security perimeter of the SCD device is planned to be removed at future dates.
• The use of clear text secret injection or private key material in an SCD is being planned to be withdrawn at future dates. Only the injection of encrypted keys will be allowed.
• In relation to the use of certain models or updates of POI devices, it will be the payment brands themselves that define the deployment criteria and expiration and replacement periods of these equipment in the field in accordance with the PCI PTS standard.
• It is important to clarify that it is the brands (and not the PCI SSC) that are responsible for the definition and management of compliance programs associated with this standard, so each brand will stipulate the dates of compliance, fines and form by which the compliance report will be made, as well as listings of companies that can perform formal assessments of compliance with the standard.