The PCI PIN Standard requires implementation of Key Blocks. On the blog, we cover basic questions about the applicability of this requirement. This blog is the second in a series on the Key Block requirement. On our first blog post in the series, Key Blocks 101, we covered basic questions about this security method and how it helps secure payment data.
Q. To what entities or environments does the PCI PIN Standard apply?
A. The PCI PIN Standard requirements are intended for use by all acquiring institutions and agents (e.g., key-injection facilities and certificate processors) responsible for PIN transaction processing on the payment card industry participants’ denominated accounts and should be used in conjunction with other applicable industry standards.
The individual payment brands are responsible for defining and managing compliance programs associated with these requirements. Contact the payment brands and/or acquirer (merchant bank) for more information about PCI compliance programs. For more information on contacting the payment brands please view our FAQ: How do I contact the payment card brands?
Q. Who assesses my entity’s compliance with PCI PIN?
A. Qualified PIN Assessor (QPA) is trained and approved by PCI SSC to assess compliance with the PCI PIN Standard. QPA Companies are security organizations that have been qualified by the Council to validate an entity's adherence to the PCI PIN Standard. QPA Employees are individuals who are employed by a QPA Company and have satisfied all requirements to perform PCI PIN Assessments as described in the QPA Qualification Requirements. To find a QPA or check the certification of a QPA please visit our website.
Q. Can my QSA help with this?
A. Yes, but only if the Qualified Security Assessor (QSA) is also a Qualified PIN Assessor (QPA).
Q. Does the Key Block requirement change who is subject to the PIN Security Requirements Standard?
A. No. This is a change of requirements within the standard and does not change the organizations to which the standard applies.
Q. Do all entities that store, process or transmit non-PIN Payment Card Data have to comply with the key block requirements?
A. The use of Key Blocks is required for the protection of cryptographic keys used in the secure management, processing, and transmission of personal identification number (PIN) data, whether such data is used during online or offline payment card transaction processing at ATMs or at point-of-sale (POS) terminals that accept cardholder PINs. Use of key blocks may also be subject to individual brand requirements. Contact the payment brands for key blocks applicability to cryptographic keys associated with other data types. The use of key blocks is an industry best practice for storage and conveyance of all symmetric keys and organizations are strongly encouraged adopt them.
Q. How does this impact my entity’s PCI DSS compliance?
A. PCI DSS and PCI PIN are separate and distinct standards and compliance to one or the other does not necessarily affect the other. There are currently no key block requirements in the DSS. Contact the payment brands to understand compliance requirements for each standard.
Q: Issuers are not typically considered an acquiring organization subject to the PCI PIN requirements. Are they required to support key blocks?
A: Although not subject to the PCI PIN Security Requirements (unless required by a payment brand), Issuers will be required to validate PIN data received from acquiring institutions that are encrypted using PIN encryption keys that were established with the applicable acquiring institution using Key Block format. Therefore, issuers will need to understand the PCI PIN key block requirement and work with applicable networks to understand the impact to their organization to ensure continued interoperability.
Also on the blog: Key Blocks 101