John Cragg, CEO of MYHSM writes for Payment Expert on the evolving landscape for security and compliance, specifically when it comes to pin requirements.
Security and compliance in the payments ecosystem cannot be underestimated and should always be adhered to. Yet, understanding the complexity of the various security standards is something that cannot be taken lightly, and regulatory compliance is constantly evolving so navigating it can be a major task.
The introduction of PCI Security is intended to outline the multiple security standards and resources set to protect cardholder data throughout the world. Implementing these standards requires specific expertise and knowledge.
We often hear the term PCI DSS which stands for ‘Payment Card Industry Data Security Standard,’ referring to a set of standards applicable to data centres that process or handle cardholder data, particularly the Primary Account Number. PCI DSS does not however protect PIN Blocks so a PIN could still be compromised hence there are specific standards developed to protect this critical element, these standards are the PCI PIN Security Requirements which are more stringent than those of PCI DSS. PCI PIN Security Requirements are intended for use by all issuers and acquirers in addition to any other companies processing electronic payments and are responsible for PIN transaction processing.
Here we delve into PCI PIN Security Requirements a little deeper and explore how compliant service providers can help financial institutions achieve the standard themselves:
What are PCI PIN Security Requirements and why do you need to adhere to them?
PCI PIN Security Requirements outlines a set of standards for secure management, processing, and transmission of PIN (Personal Identification Number) data during online and offline card transactions. The requirements ensure a cardholders 4-digit PIN (or 6-digits in some countries) remains encrypted throughout the whole payments systems, so confidentiality is protected at all times. A PIN is the main credentials used to identify and authenticate the customer when completing a transaction and at no point during the payments process should the PIN be exposed.
The PIN is an extremely sensitive piece of unique data and if compromised along with associated card details, fraudulent activity can occur resulting in financial loss. There are also increasing attacks on unsecure and outdated payment terminals, so the standards are crucial.
PCI PIN Security Requirements outlines the procedures and equipment required to achieve the highest level of encryption. One critical element required for securing the encryption and PIN’s is the use of Payment HSMs, and these need to be used and managed in the right way.
Payment HSMs are used for functions such as key management and encryption of sensitive data. During each stage of the payments process the PIN is encrypted with a different key. Therefore, the requirements relate to:
- Key management and cryptographic keys used for PIN encryption and decryption. Ensuring these are handled in an approved secure manner, including generating, storing and destroying the keys.
- There must also be procedures in place to detect and manage security events such as compromised keys. These procedures, roles and responsibilities must be documented, recorded, regularly reviewed and audited.
How do you become PCI PIN compliant ?
Firstly, in order to become compliant with PCI PIN Security Requirements you have to acquire Payment HSMs and it’s important to note general-purpose HSMs do not support the specific cryptographic functions required. Your Payment HSM needs to be certified to PCI HSM or FIPS 140-2 Level 3 or higher.
The PCI PIN Security Requirements compromise of 33 requirements, categorised as seven control objectives. In order to successfully prove PCI PIN compliance, an onsite assessment will need to be conducted by a Qualified PIN Assessor. The onsite assessment would generally include the following:
- Gap analysis – Assessing the existing procedures and process in place, this will include reviewing your environment, equipment and security controls.
- Remediating any gaps outlined by the QPA.
- PCI PIN assessment – Onsite review to validate PIN requirements and can include interviews, review of network diagrams, processes, policies and procedures.
- Internal QA review process before issuing the PCI PIN Report on Compliance (ROC) and Attestation of Compliance (AOC) which can then be shared with other entities.
How can compliant service providers help?
Using a compliant service provider to host and manage certified Payment HSMs can significantly reduce the scope and responsibilities of achieving PCI PIN Security Requirements. With this, the client saves valuable time, resources and costs, all of which are essential to any financial organisations seeking competitive advantage and in particular to fintech start-ups that need a helping hand to enter the hyper-competitive payments landscape.
To be more specific, the benefits of using a PCI PIN certified service include:
- Simplified audits – The AOC from the service provider will dramatically reduce the auditors questions that must be answered by the security team, so audits will become less onerous.
- Payment HSM skills are specialised and difficult to maintain when only rarely practiced, so outsourcing the HSM security to an expert service that works with HSMs every day can enhance security.
- The manual processes for configuring an HSM, establishing a security team, writing the policies and procedures required for certification and audit are all time consuming. Using a service will avoid these so the time to market of the payment solution can be substantially reduced.
It is also important to note that achieving PCI PIN is not a one-off tick in the box activity but rather a continuous cycle of events. The recertification process happens every 24 months but throughout the year standards and procedures have to be documented and evidenced. And, what happens if you are not compliant?
In short, you risk losing all trust and credibility, both of which are vitally important for established financial institutions and fintechs starting out, trying to gain and acquire new customers. If your business is not compliant you could also be faced with financial penalties and future investment may be hard to come by. Is it worth cutting corners? Certainly not and working with a service provider you don’t have to. Let them take the strain and burden.