What does PCI PIN stand for?
PCI PIN refers to the security requirements and assessment for merchants that accept, process or transmit payment card personal identification numbers (PIN). The PIN Security requirements are set by the Payment Card Industry Security Standards Council (PCI SSC) and outlined in the PCI PIN Security Documents and Procedures V.3.
What is a PCI PIN Assessment?
The purpose of a PCI PIN Assessment is to assess that organizations are securely managing, processing, and transmitting PIN data during online and offline payment card transactions. A PCI PIN Assessment involves encryption and key management of PIN transactions, as well as the secure management of processing equipment. POS devices (where you enter your PIN) and the hardware security module (HSM) used to decrypt the PIN and to manage the keys are all key parts of a PIN Assessment. Your PIN is encrypted and its unique key is stored on the device. Any part of this chain–processing the PIN and managing keys used to protect the PIN–is considered in scope.
Who needs PCI PIN Assessments?
The PCI PIN Assessment is required for:
- Companies performing activities in the PIN transaction process such as
- Acquiring (including ISOs)
- Companies that provide encryption management services such as:
- Key-injection facilities (KIFs)
- Certificate and registration authorities (CAs and RAs)
In addition, other entities may fall into scope if directed by a participating payment brand to perform a PIN Assessment.
How often is a PCI PIN Assessment done?
PCI PIN Assessments are done every 2 years.
What is the process of a PCI PIN Assessment?
The PCI PIN Assessment process will depend heavily on the client’s environment. A PIN Assessment is generally more complicated than a regular PCI DSS Assessment. Analysts must assess both the operational front end and the decryption environment. This includes the payment processing equipment as well as strict and detailed key management processes. To put it in perspective, a PCI DSS Report on Compliance (ROC) usually has around 18 to 20 pages devoted to key management, while a PCI PIN Report on Compliance may have over two hundred.
SecurityMetrics works with businesses of all maturity and experience levels to establish processes and maintain PCI PIN compliance year after year. The PCI PIN ROC format is fixed by the PCI Security Standards Council and should not vary depending on the security vendor.
After the report is complete, it will be sent to the card brands.
How much does a PCI PIN Assessment cost?
PCI PIN Assessments start at around $50,000, but price will depend on a few factors. These include the amount of consulting time necessary to prepare for the PIN assessment and the number of locations that need to be assessed.
Is SecurityMetrics a Qualified PIN Assessor?
Yes, SecurityMetrics is a Qualified PIN Assessor, or QPA.
From the PCI Council: “Qualified PIN Assessor (QPA) Companies are security organizations that have been qualified by the Council to validate an entity's adherence to the PCI PIN Standard. QPA Employees are individuals who are employed by a QPA Company and have satisfied all requirements to perform PCI PIN Assessments as described in the QPA Qualification Requirements.”
Why Work With SecurityMetrics for your PCI PIN Assessment?
Since the beginning of the P2PE standard, SecurityMetrics has been working with the PCI Security Standards Council to help companies develop secure and compliant key management and encryption solutions. Now with the PCI PIN standard, we are able to use that in-depth knowledge to help companies achieve PIN compliance.
As a full-service cybersecurity and compliance firm with over 20 years in PCI, SecurityMetrics is one of a handful of companies certified by the PCI Security Standards Council to complete PCI PIN Assessments. Our assessors have decades of experience in PCI DSS compliance and P2PE Assessments, and have completed over 2,000 security audits in unique payment environments. Our customers are all over the world and from all industries.
Security audits are inherently complicated; SecurityMetrics uses innovative solutions to keep communication fluid and help streamline your audit. Assessors and supporting teams provide customers with a simplified way to facilitate documentation and keep them on track with project management software.
Mark Miner is a Principal Security Analyst and Assessor at SecurityMetrics. He has over 21 years of experience in network security. Mark has current CISSP, QSA (P2PE), PA-QSA (P2PE) certifications, and his expertise has been focused on Payment Card Industry (PCI) security for the past 8.5 years. He has performed over 115 PCI and PA-DSS assessments.