How to Keep Your Customers’ Debit Card PINs Secure

Everyone involved in the processing of PIN-based debit card transactions is required to be in full compliance with all of the Payment Card Industry (PCI) PIN security requirements. There are quite a few of them — 32 to be exact — but compliance with five of them is particularly critical to your ability as a merchant to protect your customers’ PINs from falling into the wrong hands.

These five requirements are listed below and compliance with each one of them requires a close cooperation with your point-of-sale (POS) equipment provider and your payment processor. You may not understand all the technical jargon, but you should understand what each of these mandates is intended to achieve.

5 Essential PIN Security Requirements

1. Use PCI-compliant equipment. There is not much to be said about this requirement. You can find a list of PCI-compliant PIN-Entry device (PED) vendors at www.pcisecuritystandards.org/pin.

2. Do not log PIN blocks. Although individual PINs are encrypted or enciphered for protection within each transaction message, you must not store or log them after the transaction is processed. Many processing systems have programs that actively overwrite or mask PIN blocks. Moreover, processors are required to evaluate all inbound and outbound PIN-based messages to ensure that PIN blocks are not systematically logged within any system. Additionally, any temporary logging activity for troubleshooting or transaction research purposes must be followed by the removal of PIN blocks. Compliance with this requirement helps prevent hackers from successfully attacking any large repository of logged encrypted PINs.

3. Comply with secure key-injection procedures. Before your PEDs, more colloquially known as PIN pads, can be used, they must be securely “injected” (or “loaded”) with encryption keys. This will be handled by your PED vendor, in cooperation with your processor. You are required to establish procedures that prevent any one person from having access to all of the components of a single encryption key.

4. Use each encryption key for a single purpose. Using your PIN pad encryption keys solely for their intended purpose limits the exposure, in case any of them is compromised. All master or hierarchy keys used in any production or test environment must be unique and must never be shared or substituted. Using any production key in a test system is prohibited. Any production key exposed in the test system or any key encrypted using such exposed production key are considered compromised and should be replaced.

5. Use unique keys for each PIN pad. Make sure that your PIN pad vendor injects unique keys into each individual device, including initialization keys, key-exchange keys and PIN-encryption keys. Doing so limits the damage in case a key is cracked to only the PINs that were actually entered at the compromised machine. If, on the other hand, the cracked key is used for a large number of PIN pads, that would expose all PINs entered at all of those terminals.

The Takeaway

Compliance with the above five, as well as the other 27, PCI PIN security requirements is largely dependent on the capabilities of your equipment vendor and payment processor. This is another reason to take your time and carefully dot the i’s and cross the t’s when doing your due diligence before selecting either of them and to go beyond processing rates and terminal pricing when doing so.

A data security breach may seem to you as one of those things that only happen to others, but like all other types of payment processing risk, it is little more than a numbers game and it is up to you to ensure that the odds are stacked in your favor.

Image credit: FinancialPost.com.