As long as personal identification numbers (PINs) exist, they will continue to be a target for criminals. The Payment Card Industry (PCI) Security Standards Council continues to update the PIN Security Requirements to enhance usability and understanding by stating the requirements in a more granular manner. And though security has been enhanced with the recent switch to the new EMV chip, PIN safety standards are still as important as ever. Which of the recent PIN security requirements are most relevant to your institution?
To understand the PIN safety standards of today, let first back up a bit to the very first PIN, which came along with the introduction of the first ATM back in 1967 at Lloyds Bank in London, England. The inventor of the ATM envisioned six-digit PIN numbers, but found that many people could only remember four. Longer PIN numbers would seem to be safer, but in fact, they turn out to be less secure, because with 7-digit PINs, many people would just end up using their phone number, and with 9-digit PINs, people tend to use either their social security number, or the always popular 123456789.
Despite the limitations of PIN numbers, they remain in common use. And their use has become even more common now away from the relatively secure ATMs at financial institutions; we now seem pin usage at unattended point of sale machines, such as a self-checkout at your local grocery store.
Last year, the PCI (the open industry body that sets the standards for data security) released version 2.0 of its PIN security requirements.
These updated requirements are designed to address such common vulnerabilities as:
- PINs that are not protected by use of a secure PIN block
- Failure to use approved cryptographic devices for PIN processing
- Cryptographic keys that are non-random, never change, and are not unique per point of interaction device, such as the card reader at the checkout stand.
- Few, if any, documented PIN-protection procedures
- And audit trails or logs that are not maintained
The update also incorporates testing procedures into the requirements, but these have been added into a separate version of the document. Doing so permits a smoother evaluation and a deeper understanding of the requirements.
The PCI Council has also published a summary of significant changes that provides an overview of the significant modifications to the requirements. Lets take a look at some of the key changes:
Organizations too small to support reporting-structure requirement
The outline addresses procedures for organizations of insufficient size to support the reporting structure requirement. At present, the requirement states, “In order for key custodians to be free from undue influence in discharging their custodial duties, key custodians sufficient to form the necessary threshold to create a key must not directly report to the same individual.” For the small institution unable to meet this requirement, an exception is given.
When the overall organization is of insufficient size, procedural controls can be implemented. Organizations that are of such insufficient size must ensure key custodians do not report to each other (i.e., the manager cannot also be a key custodian), receive explicit training to instruct them from sharing key components with their direct manager, and must sign key-custodian agreements that includes an attestation to the requirement.
Clarification of synchronization errors between closed-circuit TV, intrusion detection systems, and access control
To ensure that equipment used to process PINs and keys is managed in a secure manner, the PCI requires that “a process must be implemented for synchronizing the time and date stamps of the access, intrusion-detection, and monitoring (camera) systems to ensure accuracy of logs. It must be ensured that synchronization errors between CCTV, intrusion detection, and access control cannot exceed one minute.” This may be done by either automated or manual mechanisms. If a manual synchronization process is then used, synchronization must occur at least quarterly, and documentation of the synchronization must be retained for a least a one-year period.
Specification of minimum log archive requirements
In an effort to ensure that keys are administered in a secure manner, Requirement 26 of the document states that “logs must be kept for any time that keys, key components, or related materials are removed from storage or loaded to an SCD.” These logs must be archived for a minimum of two years subsequent to key destruction. At a minimum, logs must include the following:
- Date and time in/out
- Key-component identifier
- Purpose of access
- Name and signature of custodian accessing the component
- Tamper-evident package number (if applicable)
Increasing minimum key sizes for various type of keys
The document outlines the approved minimum key sizes and parameters for the algorithms used in connection with key transport, exchange, or establishment and for data protection. Cryptographic strength is listed for the most common key lengths for the relevant symmetric and asymmetric cryptographic algorithms.
The PIN security requirements also go on to outline the test procedures for all requirements, which were new in the December 2014 update.
With the EMV chip deadline of Oct. 1, 2015, a shift from “swipe and signature” credit cards to “chip and PIN” purchasing builds a greater line of defense against criminals. But don’t forget about the details of PIN security parameters. Knowing these requirements can help secure cardholder data for your customers and members.
Dennis Agle, the firm’s Chief Information Officer, brings more 20 years of technological operations support.He has engineered the software-based applications conceptualized by the firm. With a background in communications, his application designs emphasize pragmatic, user-friendly solutions that are cost-effective and efficient. He￼ has developed skills in media production and in SaaS product development. He oversees the creation and implementation of the firm’s technological tools. His writing skills promote materials that are both coherent as well as engaging to users. He graduated magna cum laude from the University of Utah, where he majored in Mass Communications