The complexity of the PCI PIN security requirements requires good understanding of the payment network, PIN, and key management, and experience in performing detailed review of PCI security audits. Any entity or Merchant that accepts and processes Visa, Plus or Interlink PINs is required to comply with the PCI PIN Security Requirements and applicable PCI PED usage requirements. The PCI PIN Security Program includes the following control objectives:
-
Secure Equipment:
PINs used in transactions governed by these requirements are processed using equipment and methodologies that ensure they are kept secure.
-
Secure Key Creation:
Cryptographic Keys used for PIN encryption/decryption and related Key management are created using processes that ensure that it is not possible to predict any key or determine that certain keys are more probable than other Keys.
-
Secure Key Transmission:
Keys are conveyed or transmitted in a secure manner.
-
Secure Key Loading:
Key loading to hosts and to PIN entry devices is handled in a secure manner.
-
Unauthorized Usage:
Keys are used in a manner that prevents or detects their unauthorized usage.
-
Secure Key Management:
Keys are administered in a secure manner.
-
Equipment Management:
Equipment used to process PINs and Keys is managed in a secure manner.