Returen to PCI services


PCI PIN Security Services

What atsec offers
atsec (Beijing) Information Technology Co.,Ltd (“atsec China” for short) is accredited as a PCI QPA (Qualified PIN Assessor) company by the Payment Card Industry (PCI) Security Standards Council (SSC). As a PCI QPA, atsec China can perform PIN Security onsite reviews for global markets. Previously, atsec was the Visa-approved Security Assessor for the PCI PIN Security Program since 2016.

PCI PIN Security Requirements standard contains a complete set of requirements for the secure management, processing, and transmission of personal identification number (PIN) data during online and offline payment card transaction processing at ATMs and attended and unattended point-of-sale (POS) terminals.

In addition to the assessment service, atsec offers a full range of consulting services to support your organization in achieving compliance with the PCI PIN Security standard. Our consultants have detailed and expert experience in each of the 7 Control Objectives, as well as the Normative Annex A and B, and can help you develop policies and procedures, and also assess your compliance with the standard.

  • Control Objective 1: PINs used in transactions governed by these requirements are processed using equipment and methodologies that ensure they are kept secure.
  • Control Objective 2: Cryptographic keys used for PIN encryption/decryption and related key management are created using processes that ensure that it is not possible to predict any key or determine that certain keys are more probable than other keys.
  • Control Objective 3: Keys are conveyed or transmitted in a secure manner.
  • Control Objective 4: Key-loading to HSMs and PIN entry devices is handled in a secure manner.
  • Control Objective 5: Keys are used in a manner that prevents or detects their unauthorized usage.
  • Control Objective 6: Keys are administered in a secure manner.
  • Control Objective 7: Equipment used to process PINs and keys is managed in a secure manner.
  • Normative Annex A – Symmetric Key Distribution using Asymmetric Techniques
    • A1 – Remote Key Distribution Using Asymmetric Techniques Operations: PIN Security Requirements
    • A2 – Certification and Registration Authority Operations: PIN Security Requirements
  • Normative Annex B – Key-Injection Facilities

Why our services are important to you
PCI PIN security compliance can be defined as mandatory by card brands when an organization manages, processes, and/or transmits PIN data.

For instance, VISA requests all organizations who act as service providers that handle Visa PIN data, including PIN processing, translation, acceptance and/or key management services on behalf of Visa clients should fully comply with the Visa PIN Security Program security requirements and validation deadlines requested by VISA, and the organizations include but are not limited to: PIN Acquiring Third-Party VisaNet Processor (VNP), PIN Acquiring Client VNP acting as a Service Provider, PIN Acquiring Third-Party Servicers (TPS), and Encryption and Support Organizations (ESO). Visa PIN Security Program participants who have successfully demonstrated compliance by submitting their VAOC to Visa will be listed on the Global Registry of Service Providers located on the Visa Service Provider website.

According to Visa’s rule, non-compliance assessments are levied as specified below.

  • Initial violation and each month of unaddressed violations, up to 4 months after the initial violation: USD 10,000 per month
  • Violations after 4 months and each month thereafter: USD 25,000 per month

atsec has plenty of experience and knowledge on different security areas related to PCI PIN Security and can help you to improve the overall security level.

For more information
More information about atsec PCI services and our public resources can be found at http://www.atsec.com and at the PCI SSC website at https://www.pcisecuritystandards.org.

For more information about this service, please contact us at info_cn@atsec.com.