PIN Security and Key Management in Processing Credit Cards

All banks, retailers, and service providers processing credit cards that manage cardholder PINs and encryption keys must be fully in compliance with the PCI PIN Security Requirements. Here are some best practices on how to do that:

• Use compliant point-of-sale (POS) equipment. Buy only POS terminals that have been PCI authorized. Work with your credit card processing companies or Encryption and Support Organization (ESO) to devise a plan that ensures that all installed attended POS terminals are approved by Visa and MasterCard and are using Triple Data Encryption Standards (TDES).
• Do not store PIN blocks. Although PINs are safeguarded in an encrypted or enciphered mode within a transaction message, they must never be stored in transaction journals or logs subsequent to processing credit cards. Many processing settings have programs that are designed to overwrite or mask PIN blocks. Still, any acquirer of PIN-based payments must examine all inbound and outbound PIN-based messages to make sure that there is no logging of PIN blocks within any given system. Moreover, any temporary logging function for payment research or troubleshooting must provide for the active removal of PIN blocks. This rule helps prevent collecting and subsequent attacking of any large storage of logged encrypted PINs.
• Always manage secure key injection procedures. When POS PEDs and host security modules are first installed, they must be safely loaded with encryption keys. Irrespective of the kind of tamper-resistant security terminals being installed, the principles of dual control split knowledge must be kept in place at all times to ensure the secrecy of the key being used. Additionally, retailers processing credit cards must design procedures that prevent any given person from having access to all constituents of a single encryption key. If a retailer uses an ESO for key injection into a POS terminal, the processor must register the ESO with the Associations.
• Use only keys for a single purpose. To minimize the magnitude of data exposure if any key is compromised, encryption keys must be used solely for their primary intended purpose. This concerns all keys used in POS terminals and network processor links. Production keys must not be shared or replaced within an organization processing credit card's test system. All master keys or additional keys used in any production or test setting must be unique and unique for each environment. The use of any production key in a test system setting is a high-risk violation. Any production key compromised in the test system or any key that has been encrypted with such exposed keys is to be considered compromised and must be immediately replaced.