PIN Security and Key Management Program
Welcome to Visa® PIN Security and Key Management website. The information on this site describes Visa's global program designed to support all participants in the acquiring transaction processing chain to maintain the highest level of Personal Identification Number (PIN) security. The confidentiality of cardholder PINs being accepted and processed at Point-of-Sale ("POS") PIN-Entry Devices ("PEDs") and Automated Teller Machines ("ATM") depends on all payment system participants doing their part with implementing and maintaining the applicable Payment Card Industry (PCI) PIN Security Requirements, PCI Point of Interaction (POI) Modular Security Requirements and Visa Requirements.
Adhering to these requirements ensures the secure transmission of cardholder PINs during transaction processing at ATM and point-of-sale (POS) PIN-entry devices (PEDs). The PCI PIN Security Requirements compliment the PCI Data Security Standards (DSS) for entities that accept or process PIN transactions at POS and ATMs further enhancing the security of your cardholder environment
This website contains timely news articles about PIN topics as well as Important Visa PIN Information for anyone involved with PIN processing.
If you have any questions pertaining to PIN security at Visa, contact your regional Visa Risk System Representative or send an email to pin@visa.com.
NEWS
Visa Adopts New Industry Wide PCI PIN Security Requirements
Effective 1 July 2012, Visa will retire its current PIN security requirements and adopt the new PCI PIN Security Requirements, Version 1.0 (September 2011), an industry wide standard for the secure management, processing and transmission of PIN data at ATMs and attended and unattended point-of-sale (POS) terminals. Relevant information that accompanies the PCI PIN Security Requirements includes:
- PCI PIN Security Requirements, Version 1.0, September 2011
- PCI PIN Security Requirements Modifications—Summary of Changes (September 2011)
- Visa PIN Security Requirements Auditor's Guide
- Visa PIN Security Requirements Assessment and Forms
For information on the newly adopted PCI PIN Security Requirements, compliance dates or processes, contact your regional Visa risk representative.
Important Visa PIN Information
PIN Security Program and Key Management Compliance Basics
Visa is committed to maintaining the highest level of protection for cardholder PINs during transmission and transaction processing. Compliance with PIN requirements increases PIN security for merchants, financial institutions and all payment participants, and it maintains the confidence and integrity of a secure payment-processing environment. Payment system participants, processors, ATM deployers, Acquirers, merchants and their agents that process and / or accept cardholder PINs and manage encryption keys must be in full compliance with the PCI PIN Security Requirements. Additionally, all payment system participants, acquirers and their agents must comply with Visa’s Triple DES (TDES) and PCI Point Of Interaction (POI) requirements.
PIN Security and Key Management Compliance Framework
Visa has implemented a PIN Security and Key Management compliance framework within its regions, which establishes global validation requirements for PIN accepting/processing entities. The framework establishes a risk-based approach to identify program participants and validation levels for ATM and POS acceptance channels, and common validation requirements comprised of on-site PIN security field reviews and the submission of PIN security self-attestations. Click here for more information on Visa PIN Security Program.
Visa Mandates for Triple Data Encryption Standard (TDES) Implementation – US
Contact your regional Visa risk representative to identify mandates specific for your region.
Visa has established end-to-end mandates for TDES usage to protect online PIN-based transactions processed within the POS, ATM and host systems. These PIN Security PCI requirements are based on international standards, which have identified the need to migrate from the use of the Data Encryption Standard ("DES") to the Triple Data Encryption Standard ("TDES"). On July 1, 2010, all Interlink accepting point-of-sale PIN acceptance devices and host systems must use Triple Data Encryption Standard ("TDES").
In August 2005, Visa announced end-to-end requirements for the use of TDES to protect online and offline PIN-based transactions processed within Point-of-Sale ("POS") and host systems. Since 2003, many payment system participants, agents, merchants and processors have deployed TDES-capable POS PEDs and have started using TDES with at least double-length keys to protect PINs. This requirement ensures the continued secure protection of PIN-based transactions. To protect all payment system participants and the Visa payment system, it is essential that acquirers and their agents, merchants and processors finalize implementation plans for the migration to TDES as quickly as possible.
On April 22, 2009 Visa Published a Visa Business News article entitled, Update on Visa's Compliance Policy to Facilitate Triple Data Encryption Standard Usage. All POS PIN accepting and processing payment system participants should review Visa's updated enforcement policy for TDES usage at both attended and unattended POS PIN Entry Devices.
Visa Mandates for PIN Entry Devices – US
Contact your regional Visa risk representative to identify mandates specific for your region.
- Effective 1 January 2004, all newly deployed attended POS PIN acceptance device models (including replacement devices) must have passed testing by a PCI-recognized laboratory and be approved by PCI for new deployments.
- Effective 1 October 2005, all newly deployed EPPs, including replacements or those in newly deployed ATMs, must have passed testing by a PCI-recognized laboratory and be approved by PCI for new deployments.
- Effective 1 October 2007, all newly deployed unattended POS PIN acceptance devices must contain an EPP that has passed testing by a PCI recognized laboratory and is approved by PCI for new deployments, and if used for offline PIN acceptance, a laboratory validated and PCI approved secure chip card reader.
- Effective 1 July 2010, all attended POS PIN acceptance device models must have passed testing by a PCI-recognized laboratory and have been approved by Visa or PCI.
- Effective 31 December 2014, all pre-PCI POS PIN acceptance devices (devices designed and tested earlier than PCI POS PED version 1.x specifications) used in an attended (face to face) environment are to be replaced by devices which are PCI approved for deployment at the time of deployment.
Know What is Secure - Approved PIN Acceptance Device List
The PCI Security Standards Council (PCI-SSC) is a global, open industry standards body providing management of the PCI SSC’s PIN Transaction Security (PTS) Point of Interaction (POI) Security Requirements. The Pin Transaction Security provides a single set of modular evaluation requirements for all PIN acceptance Point of Interaction terminals. The listing of PCI Approved PTS devices and other information are available from the Council's website at www.pcisecuritystandards.org.
Knowledge is Your Best Defense - Visa PIN Security and Key Management Training Sessions
Visa is offering a series of one-day Visa Key Management Training sessions as well as a three-day Visa PIN Security Compliance Validation Training session that will provide up-to-date information on the secure management of cryptographic keys used in ATMs, point-of-sale (POS) PIN pads, encrypting PIN pads and hardware security modules. For Visa's training schedule please click here.
Don't Be A Victim of Card Skimming - PIN Entry Devices and Best Practices
The PCI Security Standards Council (PCI-SSC) is a global, open industry standards body providing management of the PCI SSC’s PIN Transaction Security (PTS) Point of Interaction (POI) Security Requirements. The PCI SSC has developed a document entitled, Skimming Prevention: Best Practices for Merchants. This document will assist and educate merchants regarding security best practices and defenses against skimming attacks.
Best Practices for Issuer PIN Security
The Issuer PIN Security Guidelines manual is designed to provide PIN security guidelines for all payment accounts that use a PIN, including those associated with magnetic stripe cards, chip cards, 'hybrid' cards that incorporate both a magnetic stripe and a chip or any other cardholder payment device form factor. Please note: Visa brand rules that relate to topics in this document supersede any guidelines on those topics.
Acquirer PIN security requirements for the secure management, processing, and transmission of PINs during online and offline payment card transaction processing at ATMs, and attended and unattended point-of-sale (POS) terminals are provided in the PCI PIN Security Requirements. Cardholder PIN entry in the acquirer domain should be performed using approved devices listed on the PCI website and in accordance with Visa requirements that relate to the PCI PTS Program.
