Page 26 - GS201102
P. 26
Education
Navigating PCI PIN security payments and are responsible for
PIN transaction processing. Here I'll
requirements delve into the PCI PIN Standard and
explore how compliant service pro-
viders can help financial institutions
By John Cragg achieve the standard themselves:
MYHSM Why adhere to PCI PIN
Security Requirements?
ecurity and compliance in the payments ecosystem cannot be under-
estimated, nor can the complexity of the various security standards The PCI PIN Standard, issued Jan. 21,
be taken lightly. Established standards should always be adhered 2020, incorporates the PCI PIN Secu-
S to, but regulatory compliance is constantly evolving, so navigating rity Requirements, which provides a
it can be a major task. Payment Card Industry (PCI) security standards are set of standards for secure manage-
intended to outline the multiple security standards and resources set to protect ment, processing and transmission
cardholder data throughout the world. Implementing these standards requires of PIN data during online and offline
specific expertise and knowledge. card transactions. The requirements
ensure a cardholder's four-digit PIN
We often hear the term PCI DSS which stands for the PCI Data Security Stan- (or six digits in some countries) re-
dard. It refers to a set of standards applicable to data centers that process or mains encrypted throughout the
handle cardholder data, particularly the primary account number. whole payments system, so confiden-
tiality is protected at all times. A PIN
The PCI DSS does not, however, protect PIN (personal identification number) is the main credential used to iden-
blocks, so a PIN could still be compromised; hence, specific standards have tify and authenticate the customer
been developed to protect this critical element. These are the PCI PIN Security when completing a transaction, and
Requirements set forth in the unified PCI PIN Standard, which is more strin- at no point during the payments pro-
gent than the PCI DSS. PCI PIN Security Requirements are intended for use cess should the PIN be exposed.
by all issuers, acquirers, as well as any other companies processing electronic
The PIN is extremely sensitive piece
of unique data and, if it is compro-
mised along with associated card
details, fraudulent activity can oc-
REIMAGINE THE ART OF USAEPAY.COM cur, resulting in financial loss. Also,
attacks are increasing on unsecured
866-570-2051
TRANSACTION and outdated payment terminals, so
the standards are crucial.
E-COMMERCE
RETAIL
M
MOBILEOBILE
PCI PIN Security Requirements out-
line the procedures and equipment
required to achieve the highest level
of encryption. One critical element
required for securing the encryp-
tion of PINs is the use of payment
hardware security modules (HSMs),
which need to be used and managed
in the right way. Payment HSMs are
used for functions such as key man-
agement and encryption of sensitive
data. During each stage of the pay-
ments process the PIN is encrypted
with a different key. Therefore, the
requirements relate to:
• Key management and crypto-
graphic keys used for PIN en-
cryption and decryption. Ensur-
ing these are handled in an ap-
proved secure manner, including
generating, storing and destroy-
ing the keys.
• Procedures in place to detect and
26
