What are the PCI PIN security standards?
PCI PIN Security Standards are those norms or measures developed by the Payment Card Industry Security Standard Council, a global forum pivoting around payment security for securing PIN information. PCI PIN Standard abstracts requirements related to the management, processing, and transmission of PIN data, assuring the needed protection for POS devices and terminals.
What is the difference between PCI DSS and PCI PIN?
While the PCI DSS consolidates the protection of cardholder data that is stored, processed, and transmitted by the merchants or service providers, the PCI PIN standard matters for the physical and logical security of PIN Numbers, and goes applicable for service providers, who does acquire, processing, storing or does transmission of PIN based transaction. PCI PIN Transaction Security (PCI PIN PTS), is further classified as,
- PCI PTS PIN – Assessed By QPA
- PCI PTS HSM – Evaluated by PTS Laboratories
- PCI PTS POI – Evaluated by PTS Laboratories
The goal of PCI PIN is to protect against PIN related threats, like device tampering, Non-Compliant Hardware, Lack of Equipment Control, Improper Key Management Practices, ATM/POI Malware, Visual Compromise, PIN Logging, Weak PIN Block Controls, Weak/Test Keys etc. which cloud effect Point of Interaction (POI) devices & Acquirers/Interchange Switch and related service providers.
What is the PCI PIN Assessment service?
PCI PIN Assessment marks the process of assessing whether or not the organization is safely managing, processing, and transmitting PIN data during online and offline payment card transactions. A PCI PIN Assessment process entangles encryption and key management of PIN transactions, as well as the secure management of operating equipment. PCI PIN Assessment also focuses on the core security of sensitive PIN data across enterprise POS devices & terminals, including attended/unattended payment terminals.
Who requires PCI PIN Assessment?
PCI PIN Security Assessment stands mandatory for those organizations involved in the PIN transaction processes, like: –
- Collecting
- Processing
- Caching
- Transmitting
Entities action on behalf of acquiring organizations or managing cryptographic key associated with PIN based payments would also need to consider PCI PIN assessment.
Also, organizations involved in encryption management services fall under the mandatory bar of PCI PIN security standard, like: –
- Certificate and registration authorities (CAs and RAs)
- Key injection facilities (KIFs)
- ISO – Independent Sales Organizations
- ESO – Encryption Service Organizations
In addition, PCI PIN Assessment also scopes those entities directed by a participating payment brand to perform a PIN Security Assessment.
As Issuer is generally out of scope of PCI PIN Assessment, unless they are involved in acquiring services.
When do you require to conduct PCI PIN Reassessment?
Organizations require PCI PIN Assessment every two years to effectively manage their PIN data to secure levels.
What is the approach for PCI PIN Assessment?
- Information gathering
The initial phase in a PCI PIN Assessment is information gathering. Experts identify all the required attributes and details about the entity card processing environment. This phase consolidates the PCI scope, helping reduce the time and cost of implementation.
- Defining the scope
The phase discovers all components of an enterprise under PCI PIN requirements. And that includes project timelines, roles and responsibilities and budget allocation for the entire process implementation.
- Gap Analysis/Initial Assessment
Here, the security experts assess the current security posture of entities in line with the PCI PIN Standard requirements. The phase helps identify the deviation of security controls in the entity environment. Then follows a risk report with complete list of findings and roadmap for successful patching.
- Certification & QPA Audit
Once the client finishes the patch, PCI QPA performs the audit, validating adherence to the standard. It implies that the entity’s security controls are upright and prepared for successful PCI PIN Certification.
- Ongoing Support & Training
Maintaining security is a continual process, and entities need constant support and training. Awareness training is a crucial function that helps keep an organization’s posture intact. There might be ongoing requirements demanding various managed compliance services. So, it is vital to equip entity staff with the required knowledge and skills.
How much does a PCI PIN Assessment cost?
The PCI PIN Assessment cost cannot be generalized as it depends on multiple factors. The amount of consulting time required to prepare for the PCI assessment and the number of locations to assess majorly determines the cost. But, while considering the present threat landscape, a PCI PIN assessment proves the worth of denying the approaching breach scenario that can be nasty to business pocket and reputation.
Is ValueMentor a qualified PIN Assessor?
ValueMentor is a qualified PIN Security Assessor authorised by the Payment Card Industry (PCI) Council. Our certified security experts have a healthy calibre in the payment security division, fulfilling PCI PIN compliance audits over the years. We have helped 100+ small to large-scale companies to successfully complete various PCI audit programs and achieve valued certifications.
What makes ValueMentor a trusted partner for PIN security Assessments?
ValueMentor’s primary facets in the industry mark, robust security and risk development, precision in findings & reporting, prioritized advice and guidance, support to attestation, business continuity and being the best compliance and advisory partner for our clients throughout the process and beyond.
Experienced & qualified QPA
- Best remediation advisory support.
- A tailor-made approach to security.
- End-to-end support.
- Robust security & risk management.
- Training & attestation support.
Final Thoughts
As full-fledged cyber security and compliance firm, ValueMentor is a global leader, being approved by the PCI Security Standards Council to complete PCI PIN Assessments. Our assessors and specialist in the payment division have immense experience and industry knowledge in PCI DSS compliance projects and P2PE Assessments. We have helped 100+ small to large-scale companies in the payment industry achieve their requirements and security necessities in minimum time and improved quality. We also use innovative solutions to streamline audits and keep our communication fluid. Also, we use a simplified path to facilitate documentation and keep our clients on the right track.
To discuss your upcoming PCI PIN Assessment, ring our security consultants, and we are ready to assist you!
