Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.
All organizations involved with handling Visa PIN data, whether it involves PIN processing, translation, acceptance and/or key management, or the management or security of these environments, must comply with Visa PIN Security Program.
As the Visa PIN Security Program Validation cycle is 24 months, we want to provide you with an update on recent changes in the validation process (March 2019).
Here an overview:
Visa introduces two main categories of entities that require validation against the Visa PIN Security Program. These are Validating Participants and Non-Validating Participants.
Validating Participants are defined as:
All these entities must perform an onsite PIN security assessment once every 24 months.
Non-Validating Participants are Visa clients, merchants and other organizations that acquire PIN transactions and/or perform key management services for only their own acquiring business.
While non-validating participants must fully comply with the Visa PIN Security Program security requirements, validation requirements are different than Validating Participants. Their validation process includes performing self-assessments using an internal or external resource.
Unlike before 2018, self-assessment results (PIN Self-Assessment Questionnaire) do not need to be submitted to Visa but must be retained as evidence of compliance. Visa reserves the right to request evidence of PIN compliance at any time, or request an on-site PIN Security review of any organization, at any time, to ensure the security of the payment system.
Starting from July 2018, validating PIN participants can contract and engage directly with Visa-approved SAs for on-site PIN reviews. Thereby, significantly streamlining the process.
Just after the introduction of the new PIN SA Model in July 2018, Visa and other payment brands consolidated their efforts in PIN Security Validation and started the transition of the entire process to PCI SSC.
If you check the current list of Visa Approved Security Assessors, you will see the following notice:
Note: Visa is currently in a freeze period and not accepting applications for new security assessors in any region pending transition of assessors to the PCI SSC in 2019. Organizations requiring an onsite assessment should continue to reference resources on this list until further notice. Contact the regional Visa Risk Representative for additional information.
The new validation program was announced last year. And on February 20th, 2019 PCI SSC opened the Qualified PIN Assessor Program for applications. It is worth mentioning that not only existing QSA companies may qualify. However, qualification requirements are highly demanding.
The first training and exam for PCI PIN Security Assessors is planned for June 10th – 11th, 2019. We can expect the first validations against the new program to start in June.
While writing this article, Visa circulated another important piece of information: effective 1 October 2019, Validating PIN Participants will be required to use a PCI QPA for onsite assessments. PIN assessments that are already scheduled and will be performed after 1 October 2019, may continue to use a Visa Approved PIN Assessor that is not a PCI QPA. In these cases, Visa approval is required prior to the assessment taking place. On the same date, all existing non-PCI PIN Security Assessor companies will be removed from the list of approved assessors.
The latest version of PIN Security Requirements 3.0 was published in August 2018.
Although in most cases the changes provide further clarification to the existing requirements, the new version also defines several important sunset dates:
Recently Visa notified all involved Validating Participants that effective 1 January 2020, all PIN assessments must be performed using PCI PIN v3 and the associated PCI reporting materials. As of this date, PCI PIN v2 assessments will no longer be accepted.
As a part of the new PCI SSC validation process, the new PCI PIN Security Requirements 3.0 RoC template was published in January 2019.
Unlike the old validation reports that were very brief, the new reporting template defines new horizons in reporting the results of the assessment. It is very detailed, specific, and contains a lot of information about the assessed entity. On the one hand, it is a positive change. A detailed report template enforces the accuracy and thoroughness of the assessment, evidence collection and analysis processes. On the other hand, documenting all sub-requirements in detail and writing the 250-pages report will require additional time both onsite and offsite. We believe, the one or two days onsite that Visa mentions in the Program Guide are hardly enough to validate against all applicable requirements and gather supporting evidence. Having experience in conducting several P2PE assessments (where the same detailed report is used for years), we estimate that the time an assessor needs to spend validating against the new PIN Security Program will be much longer than it was before 2018.
In 2018, Visa introduced the new global list of approved and compliant PIN program participants. Make sure you appear on the list in the blue color. A late renewal submission by 1-60 days means that your company will appear on the list in amber. This informs potential customers that something may be wrong with your compliance validation. If your listing renewal submission is delayed by 61-90 days, then your company will appear in red and may be removed from the list at a later point.
Our expert team is available to answer your questions about the Visa PIN Security Program.
Visa PIN Security Program Guide: https://usa.visa.com/dam/VCOM/download/security/documents/visa-pin-security-program-guide-public.pdf
Changes to the PIN Security Program in Europe: https://usa.visa.com/dam/VCOM/global/partner-with-us/documents/announcement-ve-pin-progam-changes-public-version.pdf
Visa Approved Security Assessors (SA) List: https://usa.visa.com/dam/VCOM/download/security/documents/sa-global-list.pdf
The Visa Global Registry of Service Providers: https://www.visa.com/splisting
PIN Security Requirements - Summary of Significant Changes from v2.0 to v3.0: https://www.pcisecuritystandards.org/documents/PCI_PIN_Security_Rqrmts_Modifications_v3_Summary_of_Changes_Aug2018.pdf?agreement=true&time=1551107880220
Europe PIN Security Program Modifications Frequently Asked Questions: https://usa.visa.com/dam/VCOM/global/partner-with-us/documents/europe-pin-program-faqs.pdf
PCI PIN Security Requirements 3.0 RoC template: https://www.pcisecuritystandards.org/documents/PCI_PIN_v3.0_ROC_Reporting_Template.pdf
I am a Managing Consultant at Advantio.
During my 18-year IT career, I have been lucky to work with the United Nations for over three years on a field mission as well as spend ten years focused on project management, information security, capacity planning, disaster recovery and businesses continuity.
In Advantio I apply my well-developed analytical, troubleshooting and problem-solving skills. I also can draw on my background in data processing, network and systems architecture as well as IT security.
My certifications include: CISA, PCI QSA, PA-QSA, QSA (P2PE), PA-QSA (P2PE), 3DS Assessor.