Merchant Account Services PIN Security

Visa and MasterCard have worked with many merchant account services providers, and industry standards entities to create security standards that would protect personal identification numbers (PINs) accepted at Automated Teller Machines (ATMs) and point-of-sale (POS) PIN-Entry Devices (PEDs). The Associations' PIN Security and Key Management Compliance programs are based on the Payment Card Industry (PCI) PIN Security Requirements, which is a set of mandatory requirements for the safe maintenance, processing and transmission of customer PINs during credit card transaction processing at ATMs and POS PEDs.

The program is aimed at protecting member banks, card acceptors, and merchant account service providers. It is devised to help ensure the secure management, maintenance and transmission of consumer PINs at ATM and POS PEDs. The result is that banks, retailers and acquirers can help avoid future liability and losses resulting from a PIN compromise.

Merchant Account Services PIN Security Standards

Following is a list of some of the main PIN security requirements:

• TDES mandate. Card acceptors need to ensure they are in constant compliance with the Associations' PED-testing and TDES requirements. Failure to comply can result in a large risk exposure.
• Make certain that all machines have unique keys. Cryptographic keys placed within a PED have to be unique to that terminal. This includes initialization, key-exchange and PIN-encryption keys. By making sure that these keys are unique to each machine, a retailer can make their PEDs practically unusable for criminals. This is because a "cracked" unique key reveals only those PINs that are actually entered at the compromised device itself. Conversely, if a key used for a substantial number of machines are compromise, this could expose all PINs stored on those devices. When verifying compliance with this standard, your staff should also look for weak keys (including default, predictable, or simple keys).
• Only use your keys for one purpose. To restrict the scale of exposure in case any key is compromised, encryption keys should only be used for their primary intended purpose. This is applicable to all keys that are used in POS PED and network merchant account services processor links. Production keys have to never be shared or replaced within an organization's test system. All master keys or hierarchy keys that are used in any of your production or test setting must be unique and independent for each setting. The utilization of any production key in a test platform is a high-risk security violation. If any of these keys are exposed in the test platform or any key that has been encrypted with such exposed keys need to also be considered compromised and need to be immediately replaced.