Visa reports that its PIN security programme ended on 1 October 2023

In a decision that has taken the entire payment media ecosystem by surprise, Visa announced its PIN Security program.Visa PIN Security Program) ended on 1 October 2023.

In a brief statement recently published in its corporate website, Visa announced that, from 1 October 2023, its PIN Security Program (Visa PIN Security Program) ceased to be active. Visa argues that this decision was made to allow it to focus its efforts on other more critical risks to the payments ecosystem.

To understand the impact of this news, it is important to distinguish between the standard PCI PIN and the payment mark security programme (in this case Visa):

• On the one hand, the standard PCI PIN defines the security controls to be implemented for the secure management, processing and transmission of the Personal Identification Number (PIN) during payment transactions at ATMs and payment point terminals (POS).
• On the other hand, the security programs of each payment brand establish which entities are subject to the evaluation of these controls, the periodicity of these evaluations and the potential fines in case of non-compliance and security incidents, among other points of an administrative nature.

With the completion of the Visa PIN Security Program, the following activities shall no longer be mandatory:

• Already it will not be mandatory to report PCI PIN compliance to Visa by the entities. Therefore, once the PCI PIN evaluation has been completed, we will already need the entity to send the compliance documents (Attestation of Compliance – PCI PIN AoV) to Visa, as was previously the case.
• Visa will no longer maintain the list of validated entities in PCI PIN in your listado of service providers (Visa Global Registry of Service Providers).
• The restriction of changing advisory company (Qualified PIN Assessor Company – QPAC) after two (2) simultaneous compliance assessments is no longer mandatory.
• Expiration dates of point-of-interaction devices (Point-of-Interaction – POI) will be defined by the PCI PTS POI programme and by the PCI PIN standard controls. Visa will no longer establish the periods of use, replacement and removal of such devices.

However, the following points shall remain in force after 1 October 2023:

• PCI PIN compliance assessments are still needed. In this regard, such assessments should continue to be carried out by a qualified safety adviser (Qualified PIN Advisor – QPA) and the use of self-assessment questionnaires is not allowed.
• The period of validity of the PCI PIN evaluation will continue to be 24 months.
• Fines in case of non-compliance will remain applicable, in accordance with the documents Visa Core Rules y Visa Product and Service Rules.

The completion of this program leaves the payment community with many questions about the responsibility of compliance management, since without a centralizing entity of the process (such as payment brands) and without the existence of a list of validated entities, as well as the absence of applicability criteria, compliance with PCI PIN could be affected in the future.

At the moment, the Payment Card Industry Security Standards Council (PCI SSC) has not commented on it and it is very likely that other payment brands that are part of the PCI SSC (including MasterCard) make the same decision to abandon their PIN compliance programmes in the short term.

It is necessary to clarify that those entities that have already been or are being evaluated by a QPA must continue with their periodic validation processes in a normal way, without there being any affectation with this announcement.