In May 2025, the PCI SSC announced the publication of a list of entities that meet the PCI PIN standard. This listing – unlike the previous listings that were managed by the payment brands themselves, as was the case with VISA PIN – will be managed directly by the PCI SSC and will serve as a reference to validate whether an entity complies with the standard. Here we tell you the details.
Since the closure of the program PIN VISA in October 2023, the standard PCI PIN had been left in an "orphan" state, since the entities concerned had to continue to comply with the controls of the standard that applied to them, but the final reports (RoC / AoC) were not sent to the brands (as is usually done with the reports of standards that have associated a compliance program managed by payment brands), which was interpreted at the time as an announcement of the obsolescence of PCI PIN.
However, in May 2025 the PCI SSC resumed the reins of PCI PIN compliance management by announcing the creation of a list of vendors validated in PCI PIN:
PCI PIN Service Provider List: https://www.pcisecuritystandards.org/assessors_and_solutions/pin-service-providers/
It is a voluntary list (being on that list does not imply an obligation or affect compliance) that requires the payment of specific fees.
The added value of this listing is that the PCI SSC will review and validate the document Attestation of Compliance (AoC) of the entity, will also sign the AoC and publish the entry of the entity in the list of validated suppliers, upon payment of some fees already established:

Rates for the PCI PIN listing of the PCI SSC (cut to May 2025)
Process to enter the list of validated entities in PCI PIN
As indicated above, being on this list is not mandatory. However, if an entity wants to appear in this listing it must follow these steps:
-  Once the PCI PIN compliance assessment has been completed and the reports related to the entity have been delivered by the qualified PCI PIN advisor (Qualified PIN Assessor – QPA), the institution you can register on the PCI SSC website to apply for entry on the list or you can ask your QPA company to do so on your behalf.
- Once registered, the entity must accept the clauses described in the document Payment Card Industry PIN Service Provider Release Agreement (included in the PCI PIN registration form) and send the Attestation of Compliance (AoC) related.
- When the registration is done, it is necessary to pay the rates established.
- Once the payment is received, the PCI SSC proceeds with the review of the AoC and – if all is well – digitally signs the AoC.
- Having done this, the PCI SSC adds an entry in the list of suppliers validated in PCI PIN. The validity of this entry shall be 24 months, after which the process shall be restarted from point 3.

PCI SSC signature field in the new PCI PIN AoC
Additional topics to consider
As part of this process it is important to keep in mind the following topics:
- During the registration process, the PCI SSC does not review the content of the Report on Compliance (RoC) does not evaluate the work of the QPA. In fact, the RoC does not need to be shared with the PCI SSC.
- The PCI SSC will review the Attestation of Compliance (AoC) to confirm its completeness.
- Institutions may demonstrate compliance simply by being listed, as this process implies that the PCI SSC has previously reviewed its AoC.
- The validity of the entry in this list is 24 months (two years). Once this time has elapsed, the AoC must be returned to the PCI SSC and the associated fees paid.
- When the expiration date of a listed entity has passed, its expiration date will appear in color orange up to 90 calendar days. When the expiration date has exceeded 90 calendar days, the date will appear in color red to indicate that the institution has not been revalidated before its expiry.
- Due to the inclusion of a new field for the signature of the PCI SSC, the AoC of PCI PIN has undergone modifications, so it is advisable to always use the latest version that can be downloaded in the section Document Library from the PCI SSC website. The same happened with the document Qualified PIN Assessor (QPA) Program Guide.
Finally, it is important to keep in mind that the PCI PIN standard will be replaced in the medium term by the PCI PIN standard. Key Management Operations (KMO) – as announced in the PCI SSC event in Barcelona in 2024 – so this list is very likely to be complemented by entities that comply with KMO in the future. We'll keep you posted.