ETA Expert Insights: PCI PIN Security Update 3.0
By Donna Gem, GEM Security Solutions; Greg Leos, Bank of America Merchant Services; Sam Pfanstiel, ControlScan, members of the ETA Risk, Fraud and Security Committee.
The Payment Card Industry Security Standards Council (PCI SSC), published version 3.0 of the PCI PIN security requirements in August 2018, and which has now gone into effect on October 1, 2019. This updated version was a collaborative effort between the PCI SSC and the American Standards Committee (ASC) X9. Together they integrated the ASC TR-39 into the PCI PIN security requirements to amalgamate it into PCI PIN 3.0. Here we examine the changes and what you need to know about the latest requirements order to ensure your organization remains compliant.
Summary of PCI PIN Update 3.0:
- The usage of multi-purpose personal computers for key loading is phased out. Clear-text secret and/or private keys and/or their components that exist in unprotected memory outside the secure boundary of a secure cryptographic device (SCD) are to be phased out.
- Allowance for the injection of clear-text secret or private keying material into point of interaction (POI) devices or other SCDs will be phased out starting with key injection facilities (KIFs) in 2021. Only encrypted key injections will be allowed after that time.
- The requirement that encrypted symmetric keys must be managed in structures called key blocks has been broken into three separate phases with different implementation dates, the first of which went into effect for service providers this past June.
- Host support for Advanced Encryption Standard (AES) PIN block for both encryption and decryption will be required over the next five years to facilitate adoption of this stronger encryption algorithm by POI devices.
- A new PCI PIN Assessor program includes the creation and management of the new Qualified PIN Assessor (QPA) designation by the PCI SSC, along with a listing of approved QPAs on the pcisecuritystandards.org website.
In addition, the PCI PIN 3.0 update has brought with it a multitude of changes to the requirements specifically for having comprehensive documentation to attest that procedures exist and are documented and followed by an organization’s personnel.
Existing in-flight PCI PIN 2.0 assessments by a Visa SA must be completed and submitted prior to December 31, 2019; with all other assessments being performed by a QPA against the PCI PIN 3.0 requirements, testing procedures, and reporting template. Organizations for which PCI PIN applies need to review their documentation and look at the new requirements to ensure they will be compliant when the QPA comes onsite.