PCI PIN refers to the security requirements and assessment for merchants that accept, process or transmit payment card personal identification numbers (PIN).
PCI PIN refers to the security requirements and assessment for merchants that accept, process or transmit payment card personal identification numbers (PIN). The PIN Security requirements are set by the Payment Card Industry Security Standards Council (PCI SSC) and outlined in the PCI PIN Security Documents and Procedures V.3.
The purpose of a PCI PIN Assessment is to assess that organizations are securely managing, processing, and transmitting PIN data during online and offline payment card transactions. A PCI PIN Assessment involves encryption and key management of PIN transactions, as well as the secure management of processing equipment. POS devices (where you enter your PIN) and the hardware security module (HSM) used to decrypt the PIN and to manage the keys are all key parts of a PIN Assessment. Your PIN is encrypted and its unique key is stored on the device. Any part of this chain–processing the PIN and managing keys used to protect the PIN–is considered in scope.
The PCI PIN Assessment is required for:
In addition, other entities may fall into scope if directed by a participating payment brand to perform a PIN Assessment.
PCI PIN Assessments are done every 2 years.
The PCI PIN Assessment process will depend heavily on the client’s environment. A PIN Assessment is generally more complicated than a regular PCI DSS Assessment. Analysts must assess both the operational front end and the decryption environment. This includes the payment processing equipment as well as strict and detailed key management processes. To put it in perspective, a PCI DSS Report on Compliance (ROC) usually has around 18 to 20 pages devoted to key management, while a PCI PIN Report on Compliance may have over two hundred.
SecurityMetrics works with businesses of all maturity and experience levels to establish processes and maintain PCI PIN compliance year after year. The PCI PIN ROC format is fixed by the PCI Security Standards Council and should not vary depending on the security vendor.
After the report is complete, it will be sent to the card brands.
PCI PIN Assessments start at around $50,000, but price will depend on a few factors. These include the amount of consulting time necessary to prepare for the PIN assessment and the number of locations that need to be assessed.
Yes, SecurityMetrics is a Qualified PIN Assessor, or QPA.
From the PCI Council: “Qualified PIN Assessor (QPA) Companies are security organizations that have been qualified by the Council to validate an entity's adherence to the PCI PIN Standard. QPA Employees are individuals who are employed by a QPA Company and have satisfied all requirements to perform PCI PIN Assessments as described in the QPA Qualification Requirements.”
Since the beginning of the P2PE standard, SecurityMetrics has been working with the PCI Security Standards Council to help companies develop secure and compliant key management and encryption solutions. Now with the PCI PIN standard, we are able to use that in-depth knowledge to help companies achieve PIN compliance.
SecurityMetrics Wins Fortress Cybersecurity Award for their PCI DSS Assessments.
As a full-service cybersecurity and compliance firm with over 20 years in PCI, SecurityMetrics is one of a handful of companies certified by the PCI Security Standards Council to complete PCI PIN Assessments. Our assessors have decades of experience in PCI DSS compliance and P2PE Assessments, and have completed over 2,000 security audits in unique payment environments. Our customers are all over the world and from all industries.
Security audits are inherently complicated; SecurityMetrics uses innovative solutions to keep communication fluid and help streamline your audit. Assessors and supporting teams provide customers with a simplified way to facilitate documentation and keep them on track with project management software.
To discuss your upcoming PCI PIN Assessment, request a quote here.
.svg)
