Today, the PCI SSC published a minor revision to the PCI PIN Security Requirements and Testing Procedures—also known as the PCI PIN Security Standard. Version 3.1 of the Standard includes clarifications and updates previously released via FAQs and bulletins and incorporates stakeholder feedback and comments received via a formal request for comment (RFC) period.
In this post we talk with PCI SSC SVP and Standards Officer Emma Sutcliffe about the revised Standard.
What are the PCI PIN Security Requirements and Testing Procedures?
Emma Sutcliffe: PIN (Personal Identification Number) data provides an authentication method to help protect payments from fraudulent use. The PCI PIN Security Standard provides requirements and testing procedures for the secure management, processing, and transmission of PIN data at ATMs and attended and unattended point-of-sale (POS) terminals.
Why is the Standard being updated?
Emma Sutcliffe: Industry feedback drove many of the changes to the Standard, which consist primarily of minor revisions and errata updates. Revisions include clarifications and updates previously released via technical FAQs and bulletins, corrections to proofing errors, and responses to stakeholder comments.
Can you provide an overview of the updates?
Emma Sutcliffe: We provide a full update of the changes in the Summary of Changes document, which can be found with the Standard in the PCI SSC Document Library.
Some notable changes include:
- Incorporation of the revised effective dates for key block implementations that were previously announced in July 2020. The revision of these dates was in response to stakeholder feedback about the impact COVID-19 has had on implementation efforts. Details can be found in this bulletin: Revisions to the Implementation Date for PCI PIN Security Requirement 18-3
- Incorporation of the previously announced revisions to dates and scope for implementing encrypted key injection. Announced in November 2020, the implementation dates have been deferred three years and the applicability changed from POI v3 and higher devices to POI v5 and higher devices. Additional details are provided in this bulletin: Revisions to the Implementation Dates and Scope for PCI PIN Security Requirement 32-9
- Suspension of the effective dates for entities to support ISO Format 4 PIN Blocks. Announced in March 2021, the suspension was in response to stakeholder feedback. The dates are currently being reevaluated to determine how best to support migration from TDEA (Triple Data Encryption Algorithm) to AES (Advanced Encryption Standard) across the payment ecosystem. More information can be found in this bulletin.
- Clarification for PCI-approved HSMs that the approval may be contingent on being deployed in controlled environments or more robust (e.g., secure) environments as defined in ISO 13491-2 and in the device’s PCI HSM Security Policy. This information is noted in the Additional Information column of approved PTS devices.
- Updates to Normative Annex C–Minimum and Equivalent Key Sizes and Strengths for Approved Algorithms, which was rewritten for clarity and to align with nomenclature used in NIST publications.
- Updates to Appendix A–Applicability of Requirements.
The PCI PIN Security Requirements and Testing Procedures v3.1 and supporting documentation, including Summary of Changes from v3.0 to v3.1, are available in the Document Library.