The Payment Card Industry Security Standards Council has released v2.0 of the PIN Security Requirements, according to a PCI SSC news release.
The program contains a complete set of requirements for the secure management, processing and transmission of personal identification number data at ATMs and attended and unattended point-of-sale terminals.
PCI PIN Security Requirements v2.0 aims to enhance usability and understanding by stating the requirements in a more granular manner, the council said.
Of note is the incorporation of testing procedures into the requirements, which resulted in two versions of the document — PCI PIN Security Requirements v2.0 and PCI PIN Security Requirements and Test Procedures v2.0. The council said that including testing producers in a separate version will facilitate a smoother evaluation and deeper understanding of the requirements.
The council also has published a Summary of Significant Changes document that provides a high-level look at the significant modifications to the requirements.
Examples of common vulnerabilities for PIN theft addressed by requirements include:
- PINs that are not protected by use of a secure PIN block;
- failure to use approved cryptographic devices for PIN processing;
- cryptographic keys that are non-random and non-unique to each POI device, and keys that never change;
- few, if any, documented PIN-protection procedures; and
- audit trails or logs that are not maintained.
(ATMmarketplace)
