Visa’s PIN Security Program Information

Visa is committed to protecting the Visa payment system which includes Visa cardholder PIN data. To that end, Visa created a PIN Security Program outlining compliance requirements with which acquirers, their merchants and/or their third party agents must comply. The baseline requirements for the Visa PIN Security Program Include:

• PCI PIN Security Requirements
• VISA PIN Entry Device (PED) Requirements

When purchasing PIN entry devices, ensure you check they are on the Approved PIN Transaction Security (PTS) Devices list.

In addition to the PED requirements, Visa maintains a list of compromised PEDs that are an extension of the PED requirements.

• Visa’s TDES Requirements

  Visa’s Triple Data Encryption Standard (TDES) requirements are:

  • All ATMs must use TDES to protect pins
  • All POS PIN acceptance devices must use TDES to protect pins

US only: Effective July 1, 2010, Automated Fuel Dispensers (AFDs) must use TDES or SDES DUKPT to protect pins.

Adherence to the requirements of the Visa PIN Security Program results in more than simply securing PIN data. Sound security practices help to protect organizations from adverse financial and reputational consequences often associated with PIN data compromises.

Validating Participants

Organizations identified as validating participants must validate to Visa their compliance with the requirements outlined in this program guide. Validation is required every 24 months using a Visa Approved Security Assessor.

Validating participants are defined as:

• PIN Acquiring Third Party VisaNet Processor (VNP) – A third party VNP entity that is directly connected to VisaNet and provides acquiring PIN processing services to Visa clients
• PIN Acquiring Client VNP acting as a Service Provider – A Visa client or client-owned entity that is directly connected to VisaNet and provides PIN acquiring processing services to Visa clients
• PIN Acquiring Third Party Servicers (TPS) – A third party agent that stores, processes, or transmits Visa account numbers and PINs on behalf of Visa clients
• Encryption and Support Organizations (ESO) – Organizations that:
  • Perform cryptographic key management services (i.e., key injection facilities (KIFs), Remote Key Injection (RKD) on behalf of Visa clients
  • Service and/or deploy client ATM, POS, or kiosk PIN entry devices (PEDs) which process and accept cardholder PINs
  • PED manufacturers and third party Certificate Authorities that manage various cryptographic key management responsibilities for clients

Non-Validating Participants

Visa clients, merchants and other organizations that acquire PIN transactions and/or perform key management services for only their own acquiring business must perform appropriate due diligence to ensure compliance with the PIN Security Program requirements. This may include performing self-assessments using an internal or external resource. Individuals performing the self-assessment must have adequate knowledge of the PCI PIN Security requirements but do not need to be Visa approved PIN SAs.

Self-assessment results do not need to be submitted to Visa, however Visa may request evidence of PIN security compliance or request an on-site PIN Security review of any organization, at any time, to ensure the security of the payment system. A PIN Self-Assessment Questionnaire (PIN SAQ) template is available on Visa’s PIN Security website, www.visa.com/pinsecurity.

For additional information read the Visa PIN Security Program Guide which is currently a Visa Confidential document and can be downloaded from the Visa Online website www.visaonline.com.

For any specific questions contact your regional Visa Risk Representative:

North America: [email protected]

LAC: [email protected]

AP and CEMEA: [email protected]

Global: [email protected]