Any entity that accepts and processes Visa, Plus or Interlink PINs is required to comply with the PCI PIN Security Requirements and applicable PCI PED usage requirements. Starting in 2012, compliance with these requirements will be enforced by the aforementioned payment networks. Specifically, any financial institution that is a Plus member, with at least one ATM, will most likely receive a mandate from its processor or sponsoring bank in 2012 asking the institution to complete and submit an annual PCI PIN Security Audit. This detailed and comprehensive security program is aimed at safeguarding consumer PIN and cryptographic systems used to protect the Visa payment system.
The PCI PIN Security Program includes the following control objectives that cover 32 questions or requirements on PIN security and the encryption Keys that protect the PIN:
- Secure Equipment and Methodologies: PINS used in transactions governed by these requirements are processed using equipment and methodologies that ensure they are kept secure.
- Secure Key Creation: Cryptographic Keys used for PIN encryption/decryption and related Key management are created using processes that ensure that it is not possible to predict any key or determine that certain keys are more probable than other Keys.
- Secure Key Conveyance/Transmission: Keys are conveyed or transmitted in a secure manner.
- Secure Key Loading: Key loading to hosts and to PIN entry devices is handled in a secure manner.
- Prevent Unauthorized Usage: Keys are used in a manner that prevents or detects their unauthorized usage.
- Secure Key Administration: Keys are administered in a secure manner.
- Equipment Management: Equipment used to process PINs and Keys is managed in a secure manner.
PKM has experienced, certified IT auditors who understand the complexity of PCI PIN Security Requirements; PIN and Key management principles and techniques; and the details involved with performing PCI PIN Security Audits.