PCI PIN: Replace Your Assessor after Two Assessment Cycles

6. October 2022

As the successor to the VISA PIN Security Requirements valid until 2019, the PCI PIN Security Standard PCI PIN Security Standard includes security requirements for the protection of Personal Identification Numbers (PINs), which are used to confirm the identity of a credit card holder during the payment process.

The requirements are aimed at secure management, processing, and transmission of PINs in online and offline transactions at ATMs as well as at supervised and unsupervised payment terminals (e.g., ticket vending machines) and must be met by all organizations that accept or process transactions from ATMs or point-of-sale terminals on the acquiring side. The standard is thus aimed in particular at banks, payment providers and network operators.

To successfully demonstrate PCI PIN compliance, affected companies are required to have an audit performed by an accredited Qualified PIN Assessor (QPA) every two years. During such an audit, certified and specially trained assessors identify deviations from the standard in the company by means of interviews, document reviews and technical tests.

Important: Companies subject to certification must change their PIN assessor regularly

In its VISA PIN Security Program Guide, VISA formulates some basic requirements for PIN security. These include the rule that companies subject to certification must replace their QPA Company after two consecutive assessment cycles at the latest. This practice is intended to help ensure that security assessments are conducted objectively and thoroughly on a permanent basis.

How can we help?

usd AG is officially accredited by the PCI SSC as a Qualified PIN Assessor. We are also happy to offer you combined audits in conjunction with other PCI standards (for example P2PE). Contact us - we will support you with your PCI certification project.

Also interesting:

DORA Deep Dive: Threat-Led Penetration Testing (TLPT)

DORA Deep Dive: Threat-Led Penetration Testing (TLPT)

The Digital Operational Resilience Act (DORA) will apply as of January 17, 2025. In addition to routine operational resilience testing, DORA will also make it mandatory for certain financial companies to carry out threat-led penetration testing (TLPT) every three...

Security Advisory on Gambio

Security Advisory on Gambio

The pentest professionals at usd HeroLab examined the online shop software Gambio during their pentests. The software offers merchants various functions that support the management of inventory and orders. Our professionals discovered a vulnerability in the password...

Categories

Categories