The PIN Security Program and Visa’s requirements to exchange keys in the key block format will align with the revised effective dates. Read the Visa PIN Security Bulletin on how these dates affect your organization.
For organizations that exchange symmetric keys with Visa, contact your Visa representation for additional information.
In March 2020, PCI published a security bulletin informing the payment community about PED v3.0 security approvals expiration date being extended for one year. Visa reminds stakeholders the revised expiration date is 30 April 2021.
Visa PIN Security Program requires industry participants to use PCI PTS devices for cardholder PIN entry*. PCI PTS devices are listed on the PCI SSC Approved PTS Device List. Each device is assigned a 10 year security approval expiration date to correspond to the published security requirements the device was evaluated against. For example, PED v3.0 devices were evaluated to security requirements that were published in 2010. The PED v3.0 security approval expiration date is 30 April 2021 (originally 30 April 2020). Note: Devices with expired security approvals are listed separately and can be accessed from the Approved Device page in the Devices with Expired Approval section.
Understanding that attack vectors and threats evolve, the security approval expiration date is an indication the device may no longer be able to withstand modern day attacks, even though the device is still functional. Visa allows continued use of PEDs with expired security approvals but recognizes the risk for compromise and data loss increases past the security approval expiration date.
Organizations that have PTS PEDs with expired a security approval should refer to the Visa PIN Security Program Guide, Appendix B-Visa PED Hardware Requirements to understand Visa’s requirements for expired devices, including purchasing, deployment, usage and sunset/replacement dates for each version.
*Approved PCI SPoC or Visa Ready solutions may be allowed for PIN entry on COTS devices. Contact your regional PIN Program Manager or Visa Ready team for additional information.
PCI PIN Security Requirements and Testing Procedures version 3.1 have been published and are effective immediately.
All payment stakeholders are encouraged to review the PCI SSC Modifications—Summary of Requirement Changes from v3.0 to v3.1and the updated PCI PIN Security Requirements and Testing Requirements version 3.1, both available online from the PCI SSC Document Library (filter by PIN).
For entities that are required to submit validation documents to Visa, assessments can be performed against version 3.0 or v3.1 until 30 September 2021. After that time, all new assessments must be performed to version 3.1. Note: Visa will no longer accept version 3.0 PIN Attestation of Compliance (AOC) documents after 1 January 2022.
Validating PIN Participants must use a Qualified PIN Assessor (QPA), to conduct onsite PIN security assessments for the Visa PIN Security Program. Approved QPAs are listed on the PCI SSC Assessor website.
Non-validating PIN Participants are not required to use a QPA. Internal or external auditors knowledgeable on the PCI PIN Standard and Visa PIN Requirements may conduct assessments for Non-validating PIN Participants. Review the Visa PIN Security Program Guide to fully understand requirements for Validating and Non-validating PIN Participants.
All stakeholders must understand their roles and responsibilities as outlined in the PIN Security Program Guide.
Keep up to date on news affecting Visa PIN Security Program and what acquirers, merchants and service providers need to know: