PIN security

Updates to Visa Sunset/Removal Dates for PCI expired devices

Visa has updated PIN Entry Device (PED) sunset and replacement mandates for expired point of sale PIN entry and ATM devices as well as introduced new sunset dates for expired host security modules (HSM) that have been approved by the Payment Card Industry Security Standards Council (PCI SSC).

All organizations are encouraged to review and understand the Visa PIN Security Program Guide, Appendix B: PED Hardware Purchase, Usage and Sunset Dates and the new Appendix C: HSM Purchase, Usage and Sunset Dates to understand the requirements related to PEDs and HSMs after their PCI security approval expires.

Note: PCI PTS security approval for POI v3 devices expires on 30 April 2020.

PCI PIN Security Requirements Version 3

As a reminder, all PIN assessments must be performed using version 3 with PCI reporting materials. Version 2 assessments will no longer be accepted.

The PCI PIN Security Requirements and Testing Procedures, Version 3.0, August 2018 is available on the PCI SSC Document Library (filter by PCI PIN).

PCI Qualified PIN Assessors (QPA)

The PIN Security Program recognizes a new PCI assessor type, Qualified PIN Assessor (QPA), to conduct onsite PIN security assessments for the Visa PIN Security Program. The PCI Security Standards Council (PCI SSC) is responsible for certifying and training QPAs and will list approved QPAs on the PCI SSC Assessor website.

Key Blocks

A number of resources are available to help organizations with the PCI PIN Requirements and Visa support of key blocks. All organizations are encouraged to review this information to understand the key block requirements and evaluate its impact to existing environments.

• PCI PIN Security Requirements and Testing Procedures, Version 3.0
• PCI Information Supplement: PIN Security Requirement 18-3—Key Blocks 
• PCI Information Supplement: Cryptographic Key Blocks
• Visa October 2018 and January 2019 VisaNet Business Enhancements Global Technical Letter and Implementation Guide, Effective: 14 June 2018
• Visa April 2019 and July 2019 VisaNet Business Enhancements Global Technical Letter and Implementation Guide, Effective: 7 March 2019

Note: Visa resources are available on Visa Online.

PIN Security Program Guide Updated

The PIN Security Program Guide reflects all requirements of Visa PIN Security Program, including use of expired PCI PEDs, who is required to validate using a QPA and contact information for regional PIN Program Managers for additional questions. All stakeholders are encouraged to review the program guide to understand your role and responsibilities regarding PIN security.

Other PIN Security News

Keep up to date on news affecting Visa PIN Security Program and what acquirers, merchants and service providers need to know:

• Updates to Sunset Dates for Expired PIN Entry Devices - Visa PIN Security Bulletin
• Review the PCI DSS v3.2.1 standard - Appendix A2: Additional PCI DSS Requirements for Entities using SSL/Early TLS for Card-Present POS POI Terminal Connections for applicable requirements
• Use of SSL/Early TLS for POS POI Terminal Connections - PCI Information Supplement
• Use of SSL/Early TLS and Impact on ASV Scans - PCI Information Supplement
• AFD PIN Encryption Rule Will Take Effect With EMV Liability Shift - Visa PIN Security Bulletin
• Implementation Date Change for PCI PIN Security Key Bundling Requirement - Visa PIN Security Bulletin