From 18 August to 18 September, PCI SSC stakeholders have the opportunity to review and provide feedback on the next draft of the PCI PIN Security Requirements and Testing Procedures.
Acquirers and their agents (e.g., key-injection facilities and certificate processors) responsible for personal identification number (PIN) transaction processing are subject to the PCI PIN Security Requirements. This PCI Security Standard covers the secure management, processing and transmission of PIN data at ATMs, and attended and unattended point-of-sale (POS) terminals.
The PCI SSC is updating the PCI PIN Security Requirements and Testing Procedures for release later in 2017.
Updates will include but are not limited to:
- Based upon industry feedback, the requirement that encrypted symmetric keys must be managed in structures called key blocks has been revised and broken into three separate phases, with different implementation dates.
- The usage of personal computers for key loading, where clear-text secret and/or private keys and/or their components exist in unprotected memory outside the secure boundary of a secure cryptographic device (SCD), is being phased out at future dates.
- The allowance for the injection of clear-text secret or private keying material into an SCD is being phased out at future dates. Only encrypted key injection shall be allowed.
- The test procedures have been enhanced to ensure more robust testing of existing requirements.
As part of the standards development process, PCI Participating Organizations, Affiliate and Strategic Members, PCI Recognized Labs, PTS vendors and Qualified Security Assessors (QSA) are invited to review the draft PCI PIN Security Requirements and Testing Procedures v3 (PIN v3) and provide feedback.
The comment period runs from 18 August to 18 September 2017.