Page 27 - GS201102
P. 27
Views
manage security events such as compromised to maintain when only rarely practiced, so outsourcing the
keys. These procedures, roles and responsi- HSM security to an expert service that works with HSMs ev-
bilities must be documented, recorded, regu- ery day can enhance security.
larly reviewed and audited.
• Shorter time to market: The manual processes for configuring
How do you become PCI PIN compliant? an HSM, establishing a security team, writing the policies and
procedures required for certification and audit are all time
First, to become compliant with PCI PIN Security consuming. Using a service will avoid these so the time to
Requirements, you must acquire payment HSMs. market of the payment solution can be substantially reduced.
General-purpose HSMs do not support the spe-
cific cryptographic functions required. Your pay- It is also important to note that achieving PCI PIN compliance is
ment HSM needs to be certified to PCI HSM or not a one-off tick-in-the-box activity, but rather a continuous cycle
FIPS 140-2 Level 3 or higher. of events. The recertification process happens every 24 months,
but throughout the year standards and procedures have to be doc-
The PCI PIN Security Requirements comprise umented and evidenced.
of 33 requirements, categorized as seven control
objectives. To successfully prove PCI PIN compli- And what happens if you are not compliant? You risk losing all
ance, a Qualified PIN Assessor (QPA) will need to trust and credibility, both of which are vitally important for es-
conduct an on-site assessment. The onsite assess- tablished financial institutions and fintechs startups alike. If your
ment generally includes the following: business is not compliant, you could also be faced with financial
• Gap analysis: Assessing the existing proce- penalties, and future investment may be hard to come by. Is it
dures and process in place. This will include worth cutting corners? Certainly not.
reviewing your environment, equipment and John Cragg is CEO of MYHSM, a provider of payment HSM as a service. If you have
security controls. a question you would like to ask John about MYHSM, Payment HSM as a Service or
his role, please email info@myhsm.com.
• Remediation: Remediating any gaps outlined
by the QPA.
• PCI PIN assessment: Conducting an onsite re-
view to validate PIN requirements. This can
include interviews, review of network dia-
grams, processes, policies and procedures.
• Internal review: Completing an internal QA
review process before issuing the PCI PIN Re-
port on Compliance (ROC) and Attestation of
Compliance (AOC), which can then be shared
with other entities.
How can compliant service providers help? Our ISO Exclusive low cost Bill&Pay
electronic invoicing pricing
Using a compliant service provider to host and & ISV Robust, cost effective
manage certified payment HSMs can significant- i3 Transafe gateway with
seamless integration
ly reduce the scope and responsibilities of achiev- Partners
ing compliance with PCI PIN Security Require- Multiple pricing options including
ments. With this, the client saves valuable time, Enjoy surcharging and flat rate
resources and costs, all of which are essential to Complimentary statement
any financial organization seeking competitive analysis
advantage, particularly fintech startups that need L2 & L3 interchange savings for
a helping hand to enter the hyper-competitive B2B merchants
payments landscape. Choose from numerous
platforms and sponsor banks
To be more specific, the benefits of using a PCI NDF cutoff times as late as 11pm
PIN certified service include:
• Simplified audits: The AOC from the service
provider will dramatically reduce auditor's
questions that must be answered by the secu- Technology driven. Human powered.
rity team, so audits will become less onerous.
Contact Us
• Specialized skills to enhance security: Pay- ISORecruitment@i3verticals.com
ment HSM skills are specialized and difficult
27
