You are here

PTS PIN Security Requirements: Frequently Asked Questions

Written by: Austin P. Reis, CISA, CISM, QSA, PCIP, CCSFP

Version 2 of the PTS PIN Security Requirements Technical Frequently Asked Questions document was published May 2018 by the Payment Card Industry Security Standards Council (PCI DSS). There is only one (1) change made in this May 2018 update. The update is within PIN Security Requirement 13, which handles Hardware Security Modules (HSM) using laptop computers running terminal emulation software.

The secure management, processing, and transmission during online and offline payment card transactions of Personal Identification Numbers (PINs) is the focus of these requirements. PIN Security Requirement 13 states that only secure cryptographic devices (SCD) should be loading cleartext secret or private keys, and any organizations using a regular laptop computer running terminal emulation software to perform this task are not in compliance.

The May 2018 update puts a stake in the ground at June 1st, 2019. Any organization tested after that date will be not in compliance of the requirement. Until that date however, organizations that are using a computer running terminal emulation software must have the controls in place that are stated in the requirement. Per the requirement, those controls include:

  • The computer is dedicated for the usage and is only operated under dual control
  • The computer must be used either locally via a dedicated physically connected cable, or used in a controlled environment as defined in ISO 13491
  • A minimal OS is used, and no applications other than the terminal emulation software is present
  • The computer is stored in a tamper evident authenticable (TEA) bag and logged when removed or placed back into storage
  • The computer must be further controlled via storage in either a dual control safe or a dual control compartment within a single control safe
  • The computer must be booted from a specially customized CD for boot up using a minimal OS image, and the terminal emulation application and this CD stored in the same dual access controlled safe/compartment with the computer
  • The computer must not possess a hard drive or any other storage mechanism

The PCI SSC wants to ensure that access to any cleartext key data is only performed in a way to prevent inappropriate access. In turn, organizations that are processing, transmitting, or authorizing CHD along with PINs needs to ensure no emulated terminals are in use within the CHD.

In order to remain compliant after the June 1st, 2019 deadline, organizations need to switch to dumb terminals or secure cryptographic devices when loading key data to the HSM.

Additional Resources: