WAKEFIELD, Mass. (12/23/14)--The Payment Card Industry (PCI) Security Standards Council has released v2.0 of PIN Security Requirements.
contains a complete set of requirements for the secure management, processing and transmission of personal identification number (PIN) data at ATMs and attended and unattended point-of-sale (POS) terminals.
PCI PIN Security Requirements v2.0 aims to enhance usability and understanding by stating the requirements in a more granular manner, the council said.
The update includes incorporation of testing procedures into the requirements, which resulted in two versions of the document--PCI PIN Security Requirements v2.0 and PCI PIN Security Requirements and Test Procedures v2.0. The council said that including testing procedures in a separate version will facilitate a smoother evaluation and deeper understanding of the requirements.
The council also has published a summary
of significant changes document that provides a high-level look at the modifications to the requirements.
Examples of common vulnerabilities for PIN theft addressed by the requirements include:
PINs that are not protected by use of a secure PIN block;
Failure to use approved cryptographic devices for PIN processing;
Cryptographic keys that are not random and not unique to each point of interaction device, and keys that never change;
Few, if any, documented PIN-protection procedures; and
Audit trails or logs that are not maintained.
"Criminals are actively targeting the point of sale and it's up to us as a community to stop them in their tracks," said Stephen W. Orfei, general manager of PCI Security Standards Council. "The requirements enhance the protection of devices that accept PINs with the end goal of securing cardholder data at the POS."
PIN Security Requirements is included in the current PIN Security Transaction security requirements. Program requirements and a list of approved devices are available for download.