What is a PCI PIN Assessment? Payment Card Industry PIN explained

June 27, 2024 • Resource
Posted by
Smita Mylavarapu
Share this article

A PCI PIN Assessment checks whether an organisation is in compliance with the rules surrounding PIN management in conducting card transactions. During PIN keying, processing, and transmission, there are various security measures and equipment that ensure the PIN is encrypted, key-loaded, and the keys handled in a safe manner.

PCI PIN Assessments explained:

What does PCI PIN stand for?

PCI PIN stands for Payment Card Industry and Personal Identification Number, respectively. The Payment Card Industry Security Standards Council develops and oversees a number of standards that are required for compliance in processing payment cards. The PCI PIN Security Requirements and Testing Procedures document is also known as the PCI PIN Security Standard, which is what PCI PIN refers to. The PCI PIN Security Standard outlines the “requirements for the secure management, processing, and transmission of personal identification number (PIN) data during online and offline payment card transaction processing at ATMs and point-of-sale (POS) terminals.”

PCI PIN compliance is crucial for ensuring secure payment transactions and maintaining credibility in conducting secure business.

What is the current version of PCI PIN?

The PCI PIN Security Standard is now at Version 3.1, released in March 2021. This follows three major version releases, the first of which, v1.0, was in October 2011. The last major release was version 3.0 in August 2018.

What is a PCI PIN Assessment?

A PCI PIN Assessment checks whether an organisation is in compliance with the rules surrounding PIN management in conducting card transactions. During PIN keying, processing, and transmission, there are various security measures and equipment that ensure the PIN is encrypted, key-loaded, and the keys handled in a safe manner. A PCI PIN Assessment assesses all the software and hardware involved in this process to determine whether the organisation meets compliance with the PCI PIN Security Standard. A Qualified PIN Assessor (QPA) is required to perform a PCI PIN Assessment. An assessment results in the PCI PIN Attestation of Compliance (AOC).

Who needs PCI PIN Assessments?

Any organisation involved in managing, processing, or transmitting PIN-key data should comply with the PCI PIN Security Standard. In practice, this means PIN acquirers such as ATM and POS companies and banks, companies involved in the remote key distribution chain, key certificate and registration authorities and associated entities, key injection facilities, and other PIN-processing technology handling entities.

PIN Security Requirements

The PCI PIN Security Standard lists seven control objectives:

  1. The equipment and methodologies that process PINs ensure the security of PINs.

  2. Key creation is performed by techniques that render keys unguessable.

  3. Keys are transmitted securely

  4. Key-loading to hardware security modules and PIN entry devices is secure.

  5. Unauthorised use of keys is prevented and detected.

  6. Keys are administered securely.

  7. Equipment for processing PINs and keys is securely managed.

What is the process of a PCI PIN Assessment?

The process of a PCI PIN Assessment depends on the role of the organisation in PIN processing and the scope of the assessment. The assessment itself could cover a review of policies and documents, physical and logical security observation and testing, log auditing, assessment of encryption types, interviews, and more. At the end of the assessment, a report of compliance is drawn up, and an Attestation of Compliance issued if the organisation is compliant with the standard.

How often is a PCI PIN Assessment done?

PCI PIN Assessments are done every 2 years.

Why Work With Tesserent for Your PCI PIN Assessment?

Tesserent provides a full suite of cybersecurity solutions including PCI PIN Assessments and PCI DSS services. Tesserent has a standardised approach to assessing by its qualified PIN Assessors. Tesserent has a wealth of knowledge and expertise in performing assessments and guiding organisations to maintain adequate security on an ongoing basis.



Written by Smita Mylavarapu

Contact us

Speak with a Tesserent
Security Specialist

Tesserent is a full-service cybersecurity and secure cloud services provider, partnering with clients from all industries and all levels of government. Let’s talk.

Let's Talk
Tess head 4 min