The Visa PIN Security Program assists organizations to achieve this goal. A secure payment ecosystem and continued cardholder confidence benefits all stakeholders. Refer to the PIN Security Program Guide, to understand your role and responsibilities with protecting PIN data.
Visa Pin Security Program
Cardholder PIN data is valuable commodity. Is the PIN data in your environment secure?
Keep Up-to-Date on PIN Security News
Key Blocks Effective Dates Reminder
The Payment Card Industry Security Standards Council (PCI SSC) has extended the effective dates of the PCI PIN key block requirements for Phase 2 and Phase 3. The PIN Security Program and Visa’s requirements to exchange keys in the key block format will align with the revised effective dates. Read the Visa PIN Security Bulletin on how these dates affect your organization.
For organizations that exchange symmetric keys with Visa, contact your Visa representation for additional information.
PCI PIN Entry Devices (PED) v3.0 Security Approval Expires 30 April 2021
In March 2020, PCI published a security bulletin informing the payment community about PED v3.0 security approvals expiration date being extended for one year. Visa reminds stakeholders the revised expiration date is 30 April 2021.
Visa PIN Security Program requires industry participants to use PCI PTS devices for cardholder PIN entry*. PCI PTS devices are listed on the PCI SSC Approved PTS Device List. Each device is assigned a 10 year security approval expiration date to correspond to the published security requirements the device was evaluated against. For example, PED v3.0 devices were evaluated to security requirements that were published in 2010. The PED v3.0 security approval expiration date is 30 April 2021 (originally 30 April 2020). Note: Devices with expired security approvals are listed separately and can be accessed from the Approved Device page in the Devices with Expired Approval section.
Understanding that attack vectors and threats evolve, the security approval expiration date is an indication the device may no longer be able to withstand modern day attacks, even though the device is still functional. Visa allows continued use of PEDs with expired security approvals but recognizes the risk for compromise and data loss increases past the security approval expiration date.
Organizations that have PTS PEDs with expired a security approval should refer to the Visa PIN Security Program Guide, Appendix B-Visa PED Hardware Requirements to understand Visa’s requirements for expired devices, including purchasing, deployment, usage and sunset/replacement dates for each version.
*Approved PCI SPoC or Visa Ready solutions may be allowed for PIN entry on COTS devices. Contact your regional PIN Program Manager or Visa Ready team for additional information.
PCI PIN Security Requirements Version 3.1 Published
PCI PIN Security Requirements and Testing Procedures version 3.1 have been published and are effective immediately.
All payment stakeholders are encouraged to review the PCI SSC Modifications—Summary of Requirement Changes from v3.0 to v3.1and the updated PCI PIN Security Requirements and Testing Requirements version 3.1, both available online from the PCI SSC Document Library (filter by PIN).
For entities that are required to submit validation documents to Visa, assessments can be performed against version 3.0 or v3.1 until 30 September 2021. After that time, all new assessments must be performed to version 3.1. Note: Visa will no longer accept version 3.0 PIN Attestation of Compliance (AOC) documents after 1 January 2022.
PCI Qualified PIN Assessors (QPA)
Validating PIN Participants must use a Qualified PIN Assessor (QPA), to conduct onsite PIN security assessments for the Visa PIN Security Program. Approved QPAs are listed on the PCI SSC Assessor website.
Non-validating PIN Participants are not required to use a QPA. Internal or external auditors knowledgeable on the PCI PIN Standard and Visa PIN Requirements may conduct assessments for Non-validating PIN Participants. Review the Visa PIN Security Program Guide to fully understand requirements for Validating and Non-validating PIN Participants.
All stakeholders must understand their roles and responsibilities as outlined in the PIN Security Program Guide.
Other PIN Security News
Keep up to date on news affecting Visa PIN Security Program and what acquirers, merchants and service providers need to know:
- ISO Format 4 PIN Block Support Dates Suspended – PCI SSC Bulletin
- Implementation Dates for Key Block Equivalency – PCI SSC Bulletin
- Threat of ATM Cash-Outs Payments Security – PCI SSC Bulletin
- Revisions to the Implementation Dates and Scope for PCI PIN Security Requirement 32-9 – PCI SSC Bulletin
- PCI DSS v3.2.1 standard - Appendix A2: Additional PCI DSS Requirements for Entities using SSL/Early TLS for Card-Present POS POI Terminal Connections for applicable requirements
- Use of SSL/Early TLS for POS POI Terminal Connections - PCI Information Supplement
- Use of SSL/Early TLS and Impact on ASV Scans - PCI Information Supplement