All organizations involved with handling Visa PIN data, whether it involves PIN processing, translation, acceptance and/or key management, or the management or security of these environments, must comply with Visa PIN Security Program.
As the Visa PIN Security Program Validation cycle is 24 months, we want to provide you with an update on recent changes in the validation process (March 2019).
Here an overview:
- Visa simplifies and unifies PIN security validation across all regions and provides greater transparency into the security status of PIN program participants. The current PIN Security Program covers the following regions: Asia-Pacific (AP), Canada, Central and Eastern Europe, Middle East and Africa (CEMEA), Europe, Latin America and Caribbean (LAC) and United States (U.S.).
- Visa discontinues the requirement to submit PIN Security Self-Assessment Questionnaires (SAQs).
- Visa introduces a new PIN security assessor (SA) model that enables members to engage with assessors directly for on-site reviews.
- Visa creates a global list of approved and compliant PIN program participants, which provides a platform for program participants to promote their secure PIN services.
New Categories for PIN Program Participants
Visa introduces two main categories of entities that require validation against the Visa PIN Security Program. These are Validating Participants and Non-Validating Participants.
Validating Participants are defined as:
- PIN Acquiring Third-Party VisaNet Processor (VNP) – A third party VNP entity that is directly connected to VisaNet and provides acquiring PIN processing services to Visa clients.
- PIN Acquiring Client VNP acting as a Service Provider – A Visa client or client owned entity that is directly connected to VisaNet and provides PIN acquiring processing services to Visa clients.
- PIN Acquiring Third-Party Servicers (TPS) – A third-party agent that stores, processes, or transmits Visa account numbers and PINs on behalf of Visa clients.
- Encryption and Support Organizations (ESO) – Organizations that:
- Perform cryptographic key management services (i.e., key injection facilities (KIFs), Remote Key Injection (RKD) on behalf of Visa clients.
- Service and/or deploy client ATM, POS, or kiosk PIN entry devices (PEDs) which process and accept cardholder PINs.
- PED manufacturers and third-party Certificate Authorities that manage various cryptographic key management responsibilities for clients.
All these entities must perform an onsite PIN security assessment once every 24 months.
Non-Validating Participants are Visa clients, merchants and other organizations that acquire PIN transactions and/or perform key management services for only their own acquiring business.
While non-validating participants must fully comply with the Visa PIN Security Program security requirements, validation requirements are different than Validating Participants. Their validation process includes performing self-assessments using an internal or external resource.
Unlike before 2018, self-assessment results (PIN Self-Assessment Questionnaire) do not need to be submitted to Visa but must be retained as evidence of compliance. Visa reserves the right to request evidence of PIN compliance at any time, or request an on-site PIN Security review of any organization, at any time, to ensure the security of the payment system.
New PIN SA Model Introduced
Starting from July 2018, validating PIN participants can contract and engage directly with Visa-approved SAs for on-site PIN reviews. Thereby, significantly streamlining the process.
From PIN SA to PCI PIN Security Assessors
Just after the introduction of the new PIN SA Model in July 2018, Visa and other payment brands consolidated their efforts in PIN Security Validation and started the transition of the entire process to PCI SSC.
If you check the current list of Visa Approved Security Assessors, you will see the following notice:
Note: Visa is currently in a freeze period and not accepting applications for new security assessors in any region pending transition of assessors to the PCI SSC in 2019. Organizations requiring an onsite assessment should continue to reference resources on this list until further notice. Contact the regional Visa Risk Representative for additional information.
The new validation program was announced last year. And on February 20th, 2019 PCI SSC opened the Qualified PIN Assessor Program for applications. It is worth mentioning that not only existing QSA companies may qualify. However, qualification requirements are highly demanding.
The first training and exam for PCI PIN Security Assessors is planned for June 10th – 11th, 2019. We can expect the first validations against the new program to start in June.
While writing this article, Visa circulated another important piece of information: effective 1 October 2019, Validating PIN Participants will be required to use a PCI QPA for onsite assessments. PIN assessments that are already scheduled and will be performed after 1 October 2019, may continue to use a Visa Approved PIN Assessor that is not a PCI QPA. In these cases, Visa approval is required prior to the assessment taking place. On the same date, all existing non-PCI PIN Security Assessor companies will be removed from the list of approved assessors.
Changes in PIN Security Requirements 3.0
The latest version of PIN Security Requirements 3.0 was published in August 2018.
Although in most cases the changes provide further clarification to the existing requirements, the new version also defines several important sunset dates:
- for the discontinued support of fixed TDES keys,
- for the obligation to support PIN block ISO 4 format,
- for the usage PCs for handling keys or key components.
Recently Visa notified all involved Validating Participants that effective 1 January 2020, all PIN assessments must be performed using PCI PIN v3 and the associated PCI reporting materials. As of this date, PCI PIN v2 assessments will no longer be accepted.
New reporting requirements – New challenges
As a part of the new PCI SSC validation process, the new PCI PIN Security Requirements 3.0 RoC template was published in January 2019.
Unlike the old validation reports that were very brief, the new reporting template defines new horizons in reporting the results of the assessment. It is very detailed, specific, and contains a lot of information about the assessed entity. On the one hand, it is a positive change. A detailed report template enforces the accuracy and thoroughness of the assessment, evidence collection and analysis processes. On the other hand, documenting all sub-requirements in detail and writing the 250-pages report will require additional time both onsite and offsite. We believe, the one or two days onsite that Visa mentions in the Program Guide are hardly enough to validate against all applicable requirements and gather supporting evidence. Having experience in conducting several P2PE assessments (where the same detailed report is used for years), we estimate that the time an assessor needs to spend validating against the new PIN Security Program will be much longer than it was before 2018.
Are you listed?
In 2018, Visa introduced the new global list of approved and compliant PIN program participants. Make sure you appear on the list in the blue color. A late renewal submission by 1-60 days means that your company will appear on the list in amber. This informs potential customers that something may be wrong with your compliance validation. If your listing renewal submission is delayed by 61-90 days, then your company will appear in red and may be removed from the list at a later point.
Need more information?
Our expert team is available to answer your questions about the Visa PIN Security Program.
Visa PIN Security Program Guide: https://usa.visa.com/dam/VCOM/download/security/documents/visa-pin-security-program-guide-public.pdf
Changes to the PIN Security Program in Europe: https://usa.visa.com/dam/VCOM/global/partner-with-us/documents/announcement-ve-pin-progam-changes-public-version.pdf
Visa Approved Security Assessors (SA) List: https://usa.visa.com/dam/VCOM/download/security/documents/sa-global-list.pdf
The Visa Global Registry of Service Providers: https://www.visa.com/splisting
PIN Security Requirements - Summary of Significant Changes from v2.0 to v3.0: https://www.pcisecuritystandards.org/documents/PCI_PIN_Security_Rqrmts_Modifications_v3_Summary_of_Changes_Aug2018.pdf?agreement=true&time=1551107880220
Europe PIN Security Program Modifications Frequently Asked Questions: https://usa.visa.com/dam/VCOM/global/partner-with-us/documents/europe-pin-program-faqs.pdf
PCI PIN Security Requirements 3.0 RoC template: https://www.pcisecuritystandards.org/documents/PCI_PIN_v3.0_ROC_Reporting_Template.pdf