PIN Audit

[brianmonthie]

I work for a level-1 merchant. Before I arrived, our company performed a PIN Audit found in Appendix B of the PIN Security Requirements:

https://partnernetwork.visa.com/vpn/...4&userRegion=1

Our company was found non-compliant since not all PIN-entry devices were encrypted with TDES. However, in July of this year and around the same time the mandate for TDES becomes effective, we will have replaced all our single DES terminals with TDES terminals, thus becoming compliant with PCI PED.

Normally, I would say going through the PIN audit would be a good thing for us, since there is older documentation that shows us being non-compliant. If I can save the company on money or resources, I'd like to avoid going through the PIN audit again. I asked our acquirer, our terminal vendor, and other PCI QSA's, and no merchant seems to be doing PIN Audits. Is there a different audit or attestation of PED/PIN compliance we should be submitting to our acquiring bank?

Thanks,
Brian

[jbhall56]

If your organization processes debit cards as credit cards, then a PIN audit is pointless as you are not allowing customers to enter a PIN even though they have terminals with PIN pads.

That said, I am not aware of any other PIN audit program other than the one from Visa which is based on the audit done for ATMs.

[andrewj]

If you are not handling cryptographic keys that are used to encrypt the PINs of Visa, MasterCard, or JCB, then you do not need to go through a PIN audit. This is often the case for merchants, who have their PED equipment supplied through a third party (acquirer, ISO, or ESO), but some merchants do use their own devices and switching infrastructure - and therefore require a PIN audit.

If you own your PEDs, but have some other agency handling the keys and PIN translation functions for you, the compliance of your terminals is really their problem not yours (but may well become yours if they decide to reduce their liability and increase their compliance by cutting you off).

[brianmonthie]

Quote:

Originally Posted by andrewj

If you are not handling cryptographic keys that are used to encrypt the PINs of Visa, MasterCard, or JCB, then you do not need to go through a PIN audit.

Does that apply to merchants who use an HSM?

In this case, the merchant created the keys within the HSM hardware and sent the keys to the PIN Pad vendor to have injected. In your opinion, would PED documentation from the HSM vendor and the PIN Pad vendor be a sufficient replacement? I don't believe HSMs have been formally addressed by the PCI council.

[lyalc]

Quote:

Originally Posted by brianmonthie

Does that apply to merchants who use an HSM?

In this case, the merchant created the keys within the HSM hardware and sent the keys to the PIN Pad vendor to have injected. In your opinion, would PED documentation from the HSM vendor and the PIN Pad vendor be a sufficient replacement? I don't believe HSMs have been formally addressed by the PCI council.

In this case, presuming the PIN Pads do accept PINs form cards branded by either Mastercard, Visa or JCB, then yes, there will be a need for a PIN audit to occur.

The processes around how the keys are generated, transported and injected will be in scope of the Pin audit.

Additionally, some national payment associations have specific auditable requirements around PIN key handling, PIN entry and key injection processes for Bank branded payments cards.

lyalc