PCI PIN Security: v3.0 and QPA Program Now in Effect

As of last week—October 1 to be exact—all new assessments for protection of payment card personal identification number (PIN) data must be performed against the latest Payment Card Industry (PCI) PIN Security Requirements and Testing Procedures, version 3.0.

The now-effective PCI PIN Security Standard includes changes to requirements and sunset dates that may have a significant effect on entities that accept, process or transmit PIN. In addition, the assessor program has now transitioned from the Visa Security Assessor (SA) to the PCI Qualified PIN Assessor (QPA) program.

So, what do these changes mean for you?

PCI QPA Program and Reporting Changes

While Visa still manages the list of validating PIN participants on the Visa Global Registry of Service Providers, and entities must comply with brand rules regarding the frequency of their assessments, the management of the PIN standard itself and assessor training/oversight now falls to the PCI Security Standards Council.

About Qualified PIN Assessors
New QPA employees (including previous CTGA and Visa SA assessors) must undergo in-person, multi-day training and testing by PCI to the new standard in order to perform PIN 3.0 assessments. Furthermore, QPA companies must have in place sufficient insurance coverage and quality assurance processes, similar to requirements for QSA companies for PCI DSS, as well as apply for acceptance into the QPA program.

Furthermore, the reporting structure has been modified to support the use of compensating control worksheets (CCWs), which aid entities and their assessors in completing a compliant PIN Report on Compliance (ROC), especially where legacy systems may prevent strict compliance to the standard as written.

Current in-flight assessments to PCI PIN 2.0 may be completed by December 31 by an existing Visa SA, with approval from Visa, but effective January 1, 2020 all submissions must be under the latest version of PIN and conducted by a certified QPA in good standing.

PCI PIN 3.0 Standard Changes
The PCI PIN 3.0 standard does not depart significantly from the 2.0 standard that was initially published in 2014. The most impactful changes are in the following areas, which signify deprecation of processes and systems that are no longer considered secure for processing of keys and PINs:

Out with the Old

To achieve PCI PIN v3.0 compliance, and ensure better PIN security, your organization must migrate away from the technologies and outdated processes described below:

• Multi-Purpose PCs: Previous versions of PIN data did not allow the use of multi-use computing systems for key generation, but they did allow these systems to operate in a secure room for key injection. Version 3.0 further clarifies that only secure cryptography devices (SCDs) may be used for key generation, and that multi-purpose PCs are no longer allowed for key injection as of January 1, 2021. (Cf. 6-2, Annex B 32-9)
• Clear-Text Key Injection: Perhaps the biggest change to the standard, effective January 1, 2021, is that key injection facilities (KIFs) will no longer be allowed to perform clear-text key injection, and must ensure their key loading devices (KLDs) and point of interaction (POI) devices are ready to support encrypted key loading, key negotiation or remote key injection. Entities that perform their own key injection have until 2023 to prepare for this new requirement. (Cf. Annex B 13-9, Annex B 32-9)
• Fixed-Key TDES: As of January 1, 2023, all ATM and POS devices that encrypt PIN using TDES must not use a fixed (non-rotating) encryption key. This deprecation of fixed-key methodologies will have a significant impact on legacy ATMs and may require extensive device updates to avoid non-compliance. (Cf. 2-3)
• Keyboards for Key Loading: While most assessors have correctly interpreted the requirement for clear-text key loading to occur using only an SCD keypad, some have allowed the use of a non-SCD keyboard in the past. The new standard makes it clear that this is not allowable, as a traditional keyboard could be subject to undetected key interception through the use of skimmers. (Cf. 13-2)

In with the New

Additionally, the new standard includes “sunrise” dates for certain technologies, which must be put in place to support future capabilities necessary for protecting PIN data:

• Logging Requirements: An additional logging requirement for all key management access slipped into the standard, which may catch some entities by surprise. The new requirement is the inclusion of the signature of a witness that is not a custodian for that particular key or key component (Cf. Annex B 26-1). Also, POIs and SCDs access logs must now include certain fields that were not formerly specified, such as purpose, serial number and tamper-evident bag number. (Cf. 29-1.1.1)
• Key Block: The concept of key blocking (or key wrapping) was originally introduced in 2005 as part of ANSI X9 TR-31, to ensure keys are exchanged and stored in such a way as to protect their integrity and usage. The use of key blocks is now being enforced by the brands in a phased sunrise: As of June 1, 2019, service providers have been required to implement key blocks where keys are transmitted and stored internally, e.g., between and within hardware security modules (HSMs), applications and databases. Service providers must now prepare to implement key blocks for all external connections by June 1, 2021; and merchants must support key blocks on ATMs and POS devices by June 1, 2023. (Cf. 18-3)
• PIN Block: Hosts that decrypt PIN must prepare to support ISO-4 PIN block (using the AES algorithm) by 2023 and ensure that this format is also supported for encryption operations by 2025.  While merchants do not need to update their PIN Transaction Security (PTS) POI devices to support this format, the use of AES is recommended for new device deployments where feasible. (Cf. 2-3, 4-1)

We’ve Got Your Back

Is your organization ready to migrate from fixed-key, clear-text key injection, and multi-purpose PCs? Are your HSMs and other SCDs prepared to support key block and ISO-4 PIN block? Have you checked to ensure that your PIN assessor is certified to the QPA program and is being rotated at least every two assessments per Visa guidance?

PIN security is a lot to keep up with, but ControlScan has your back! Contact our Security Consulting Services PIN assessor team for help in planning your migration and to receive a no-obligation quote for your next PIN assessment.