The PCI Security Standards Council (PCI SSC) has announced that the Council is expanding the PTS standards to encompass the PCI PIN Security Requirements, formerly administered by Visa and MasterCard, to provide organizations with one set of criteria for the protection of PIN data.
After officially taking over management of the requirements earlier this year, the PCI SSC solicited feedback from the PCI community to make updates to the standard. Today’s release contains a complete set of reqirements for the secure management, processing and transmission of personal identification number (PIN) data at ATMs, and attended and unattended point-of-sale (POS) terminals. The PIN Security Requirements will be included in current PTS security requirements.
The updated PTS program requirements and detailed listing of approved devices are available on the Council’s website here.
“Point of sale continues to be a security hotspot as criminals are using more advanced techniques to steal PIN and cardholder data,” said Bob Russo, general manager of the PCI Security Standards Council. The requirements are specifically geared toward protecting not just the devices that accept PINs but also the people and processes surrounding them.”
The PCI PIN Security Requirements provide one set of criteria for protection of Primary Identification Number (PIN) data. For merchants – examples of common vulnerabilities for PIN theft that the requirements address include:
- PINs that are not protected by a secure PIN block
- Failure to use approved cryptographic devices for PIN processing
- Cryptographic keys that are non-random, not unique, and never change
- Few, if any documented PIN-protection procedures
- Audit trails or logs that are not maintained
“With this addition to the PTS requirements, we hope to strengthen POS security at merchants around the globe,” noted Russo.
The Council will also host a Webinar for Participating Organizations and the public outlining the newest updates to the PIN Transaction Security program, including the PIN Security Requirements, followed by a live Q&A session.
Register for the November 8 session here.
Register for the November 10 session here