The Payment Card Industry Security Standards Council (PCI SSC) has extended the effective dates of the PCI PIN key block requirements for Phase 2 and Phase 3. The PIN Security Program and Visa’s requirement to exchange keys in the key block format will align with the revised effective dates. Read the Visa PIN Security Bulletin on how these dates affect your organization.
Visa has updated PIN Entry Device (PED) sunset and replacement mandates for expired point of sale PIN entry and ATM devices as well as introduced new sunset dates for expired host security modules (HSM) that have been approved by the Payment Card Industry Security Standards Council (PCI SSC).
All organizations are encouraged to review and understand the Visa PIN Security Program Guide, Appendix B: PED Hardware Purchase, Usage and Sunset Dates and the new Appendix C: HSM Purchase, Usage and Sunset Dates to understand Visa's requirements related to PEDs and HSMs after their PCI security approval expires.
Note: PCI PTS security approval for POI v3 devices expires on 30 April 2021.
As a reminder, all PIN assessments regardless if it is for Validating or Non-validating PIN Participant must be performed using version 3 of the PIN standard with PCI reporting materials. Version 2 assessments will no longer be accepted.
The PCI PIN Security Requirements and Testing Procedures, Version 3.0 and corresponding reporting materials are, available on the PCI SSC Document Library (filter by PIN).
Validating PIN Participants must use a Qualified PIN Assessor (QPA), to conduct onsite PIN security assessments for the Visa PIN Security Program. Approved QPAs are listed on the PCI SSC Assessor website.
Non-validating PIN Participants are not required to use a QPA to validate their PIN compliance. Internal or external auditors knowledgeable on the PCI PIN Standard and Visa PIN Requirements may conduct assessments for Non-validating PIN Participants. Review the Visa PIN Security Program Guide to fully understand requirements for Validating and Non-validating PIN Participants.
The Visa PIN Security Program Guide reflects all requirements, including use of expired PCI PEDs, who is required to validate using a QPA and contact information for regional PIN Program Managers for additional questions. All stakeholders are encouraged to review the program guide to understand your role and responsibilities regarding PIN security.
Keep up to date on news affecting Visa PIN Security Program and what acquirers, merchants and service providers need to know:
