PIN Security and Key Management Program

Safeguarding Visa, Plus and Interlink PIN Transactions

The Visa® PIN Security and Key Management Program is a global program designed to support all participants in the acquiring transaction processing chain to maintain the highest level of Personal Identification Number (PIN) security. The confidentiality of cardholder PINs being accepted and processed at Point-of-Sale (“POS”) PIN-Entry Devices (“PEDs”) and ATMs depends on all payment system participants complying with the applicable Payment Card Industry PCI PIN Security Requirements, PCI PIN-Entry Device Security Requirements, PCI Encrypting PIN Pad Security Requirements and Visa Requirements.

Compliance with these requirements ensures the secure transmission of cardholder PINs during transaction processing at ATM and point-of-sale (POS) PIN-entry devices (PEDs). The PCI PIN Security Requirements compliment the PCI Data Security Standards (DSS) for entities that accept or process PIN transactions at POS and ATMs. PIN accepting entities must be fully compliant with the PCI PIN and PED Security Requirements.

PIN Security Program and Key Management compliance basics

Visa has worked with many client financial institutions, as well as industry standards organizations to create security standards for the protection of PINs accepted at ATM and POS PEDs. Payment system participants, processors, ATM deployers, Acquirers, merchants and their agents that process and / or accept cardholder PINs and manage encryption keys must be in full compliance with the PCI PIN Security Requirements. Additionally, all payment system participants, acquirers and their agents must comply with Visa’s Triple DES (TDES) and PED testing requirements.

PIN Security and Key Management Compliance Framework

Visa has implemented a PIN Security and Key Management compliance framework within its regions, which establishes global validation requirements for PIN accepting/processing entities. This new framework establishes a risk-based approach to identify program participants and validation levels for ATM and POS acceptance channels, and common validation requirements comprised of on-site PIN security field reviews conducted by Visa or a delegated entity and the submission of PIN security self-attestations. Click here for more information.

PIN Entry Devices and Best Practices

The PCI Security Standards Council (PCI-SSC) is a global, open industry standards body providing management of the PCI SSC’s PIN Transaction Security (PTS) Point of Interaction (POI) Security Requirements. The PTS provides a single set of modular evaluation requirements for all PIN acceptance Point of Interaction terminals. The listing of PCI Approved PTS devices and other information are available from the Council’s website at www.pcisecuritystandards.org. The PCI SSC has developed a document entitled, Skimming Prevention: Best Practices for Merchants available at https://www.pcisecuritystandards.org/education/info_sup.shtml. This document was created to assist and educate merchants regarding security best practices associated with skimming attacks.

Triple Data Encryption Standard (TDES) Global Mandates

Visa has established end-to-end mandates for TDES usage to protect online PIN-based transactions processed within the POS, ATM and host systems. These PIN Security PCI requirements are based on international standards, which have identified the need to migrate from the use of the Data Encryption Standard (“DES”) to the Triple Data Encryption Standard (“TDES”). On July 1, 2010, all Interlink accepting point-of-sale PIN acceptance devices and host systems must use Triple Data Encryption Standard (“TDES”).

In August 2005, Visa announced end-to-end requirements for the use of TDES to protect online and offline PIN-based transactions processed within Point-of-Sale (“POS”) and host systems. Since 2003, many payment system participants, agents, merchants and processors have deployed TDES-capable POS PEDs and have started using TDES with at least double-length keys to protect PINs. This requirement ensures the continued secure protection of PIN-based transactions. To protect all payment system participants and the Visa payment system, it is essential that acquirers and their agents, merchants and processors finalize implementation plans for the migration to TDES as quickly as possible.

On April 22, 2009 Visa Published a Visa Business News article entitled, "Update on Visa's Compliance Policy to Facilitate Triple Data Encryption Standard Usage." All POS PIN accepting and processing payment system participants should review Visa's updated enforcement policy for TDES usage at both attended and unattended POS PIN Entry Devices.

Visa PCI PIN Security and Key Management Training Sessions

Visa is offering a series of one-day Visa Key Management Training sessions as well as a three-day Visa PIN Security Compliance Validation Training session that will provide up-to-date information on the secure management of cryptographic keys used in ATMs, point-of-sale (POS) PIN pads, encrypting PIN pads and hardware security modules. For Visa's training schedule please click here.

Best Practices for Issuer PIN Security

Acquirer PIN security requirements for the secure management, processing, and transmission of PINs during online and offline payment card transaction processing at ATMs, and attended and unattended point-of-sale (POS) terminals are provided in the PCI PIN Security Requirements. Cardholder PIN entry in the acquirer domain should be performed using PED/EPPs in accordance with payment-system brand requirements that relate to the PCI PTS Program.

The Issuer PIN Security Guidelines manual is designed to provide PIN security guidelines for all payment accounts that use a PIN, including those associated with magnetic stripe cards, chip cards, ‘hybrid’ cards that incorporate both a magnetic stripe and a chip or any other cardholder payment device form factor. These guidelines were derived from existing Visa and MasterCard documentation and finalized in this version by representatives of the two payment-system brands. Payment-system brand rules that relate to topics in this document supersede any guidelines on those topics.

Visa’s Global PIN Entry Device Testing Requirements

• Effective 1 January 2004, all newly deployed attended POS PIN acceptance device models (including replacement devices) must have passed testing by a PCI-recognized laboratory and be approved by PCI for new deployments.
• Effective 1 October 2005, all newly deployed EPPs, including replacements or those in newly deployed ATMs, must have passed testing by a PCI-recognized laboratory and be approved by PCI for new deployments.
• Effective 1 October 2007, all newly deployed unattended POS PIN acceptance devices must contain an EPP that has passed testing by a PCI recognized laboratory and is approved by PCI for new deployments, and if used for offline PIN acceptance, a laboratory validated and PCI approved secure smart card reader.
• Effective 1 July 2010, all attended POS PIN acceptance device models must have passed testing by a PCI-recognized laboratory and have been approved by Visa or PCI.
• Effective 31 December 2014, all pre-PCI POS PIN acceptance devices (devices designed and tested earlier than PCI POS PED version 1.x specifications) used in an attended (face to face) environment are to be replaced by devices which are PCI approved for deployment at the time of deployment.

Pre-PCI Approved PIN-Entry Devices (Note: For a listing of PCI PIN Transaction Security approved devices go to www.pcisecuritystandards.org)

For more information

To learn more about the Visa PIN Security and Key Management Program, including PIN entry device compliance and testing mandates, please visit www.visa.com/pinsecurity or email pinusa@visa.com.