PIN security

Transition to PCI PIN Security Requirements Version 3

The PCI PIN Security Requirements and Testing Procedures, Version 3.0, August 2018 is available on the PCI SSC Document Library (filter by PCI PIN). All organizations should become familiar with the revised standard and understand the associated impacts to their environment. To support the transition to version 3, Visa will adopt the following timeline:

• Validating PIN Participants will continue to validate to version 2 until 30 September 2019.
• From 1 October 2019 through 31 December 2019, validating PIN Participants may validate their PIN security compliance to either version 2 with Visa reporting materials or version 3 with PCI reporting materials. Note: Version 3 assessments must be conducted by a PCI QPA.
• Effective 1 January 2020, all PIN assessments must be performed using version 3 with PCI reporting materials. Version 2 assessments with Visa reporting materials will no longer be accepted.

Visa Recognizes PCI Qualified PIN Assessors (QPA)

Visa is updating its PIN Security Program to recognize a new PCI assessor type, Qualified PIN Assessor (QPA), to conduct on site PIN security assessments for the Visa PIN Security Program. The PCI Security Standards Council (PCI SSC) will be responsible for certifying and training QPAs on the PCI PIN security requirements and will list approved QPAs on the PCI website. Many existing Visa Approved PIN Security Assessors are now QPAs.

• Effective 1 October 2019, all Validating PIN Participants must use a QPA for their onsite assessments. Refer to the PIN Security Program Guide for more information or contact your regional PIN Program Manager with questions, including use of non-QPA after October 1, 2019.
• Approved QPAs are listed on the PCI SSC Assessor website.

Key Blocks

A number of resources are available to help organizations with the PCI PIN Requirements and Visa support of key blocks. All organizations are encouraged to review this information to understand the key block requirements and evaluate its impact to existing environments.

• PCI PIN Security Requirements and Testing Procedures, Version 3.0
• PCI Information Supplement: PIN Security Requirement 18-3—Key Blocks 
• PCI Information Supplement: Cryptographic Key Blocks
• Visa October 2018 and January 2019 VisaNet Business Enhancements Global Technical Letter and Implementation Guide, Effective: 14 June 2018
• Visa April 2019 and July 2019 VisaNet Business Enhancements Global Technical Letter and Implementation Guide, Effective: 7 March 2019

Note: Visa resources are available on Visa Online.

PIN Security Program Guide Updated

The PIN Security Program Guide has been updated to recognize the use of PCI QPAs. All stakeholders are encouraged to review the program guide to understand the requirements associated with the Visa PIN Security Program.

Other PIN Security News

Keep up to date on news affecting Visa PIN Security Program.
POI Devices using SSL - what merchants and service providers need to know:

• Review the PCI DSS v3.2.1 standard - Appendix A2: Additional PCI DSS Requirements for Entities using SSL/Early TLS for Card-Present POS POI Terminal Connections for applicable requirements
• Use of SSL/Early TLS for POS POI Terminal Connections - PCI Information Supplement
• Use of SSL/Early TLS and Impact on ASV Scans - PCI Information Supplement
• AFD PIN Encryption Rule Will Take Effect With EMV Liability Shift - Visa PIN Security Bulletin
• Implementation Date Change for PCI PIN Security Key Bundling Requirement - Visa PIN Security Bulletin

PIN Security Requirements

The PCI Security Standards Council (PCI SSC) published PCI PIN Security Requirements, v3.0 in August 2018. Review the following information to learn more about the revised standard and its impact to the Visa PIN Security Program.

• PCI PIN Security Requirements Updated - Visa PIN Security Bulletin
• PCI PIN Security Requirements Updated and PCISSC Modifications—Summary of Significant Changes from v2.0 to v3.0 - PCI Announcement