PCI Announces Coming Qualified PIN Assessor (QPA) Program

Sam Pfanstiel 70px png

Sam Pfanstiel

Senior Consultant, P2PE, Coalfire

Second only to protecting sensitive credit card account information, safeguarding the cardholder’s personal identification number (PIN) is one of the most important tasks for prevention of card-present fraud in retail and banking. With the continued movement toward chip-and-PIN EMV (the technology standard named for Europay, Mastercard, and Visa), it is even more crucial that entities handling PINs protect this information properly in the face of continually evolving threats.

While magstripe card data has been the low-hanging fruit for data thieves in the past, this data alone is becoming less valuable as the move to EMV chip cards continues in the United States. However, similar migrations in Europe, Latin America, and Asia Pacific have taught us to expect a wave of PIN-related attacks as fraudsters adapt to these new protections, especially as retail organizations that have never handled PINs must become familiar with PIN security requirements. This transition constitutes a window of opportunity for thieves who will seek to exploit missing protections in the retail environment, weak cryptographic keys, vulnerable key exchange techniques, or non-compliant PIN translation devices to attack this “weakest link” to conduct retail fraud or withdrawal cash from victims’ accounts.

This year the Payment Card Industry (PCI) Security Standards Council (SSC), Accredited Standards Committee (ASC X9), and Visa announced the movement of the PIN assessor program from the respective brands to the PCI SSC. This follows the move of the PIN security standard to the PCI SSC in 2014 and demonstrates alignment among the networks and the standards bodies on the importance of protecting these crucial data elements used as the primary cardholder verification method (CVM) for card-present transactions. 

This new assessor program will be called the PCI Qualified PIN Assessor (QPA) program and officially kicks off in mid-2019. Previously, assessors had to be certified to each of the brand-specific programs as either a Certified TG-3 Auditor (CTGA) to assess against the TR-39 compliance guideline (released in 2009) or as a Visa PIN Security Assessor (SA) to assess against the PIN Security Requirements v2.0 (released in 2014). Reporting under the new council-managed program, QPA companies will soon perform these assessments against the latest version of the PCI PIN security standard, v3.0, which was released in August 2018.

What impact will this change have for you and your organization? The answer to this question depends on whether your company or any third-party agents directly handle the encryption keys and secure cryptographic devices (SCD) used to protect PINs—either within a point of interaction (POI), automated teller machines (ATM), hardware security module (HSM), key loading device (KLD), or as a certificate authority/registration authority (CA/RA).

Primarily, these changes will affect larger merchants, banks that process ATM or debit PIN transactions, processors, encryption support organizations (ESO), and ATM support companies. However, changes to the way these organizations protect their keys and devices will likely have downstream effects on smaller merchants and banks that rely on their services for key loading, configuration, and transaction processing.

  • Under PCI PIN v3.0, ESOs such as key injection facilities (KIFs) must be prepared to quickly adopt new regulations prohibiting PC-based clear-text loading of keys by 2021 (retailers and processes have until 2023 to do the same).
  • Banks, processors, and retailers handling encryption keys only have until July 2019 to implement ANSI TR-31 or ANXI x9.102 key blocks for internal applications and until 2021 to do the same for external processing relationships.
  • Many experts believe that the official deprecation of Triple DES by NIST this past July, and the introduction of AES DUKPT in 2017 (ANSI x9.24-3-2017), signal coming changes that could require the use of stronger AES keys for PIN and credit card data security.
  • Alignment of PIN security requirements with complementary payments cryptography standards such as Point-to-Point Encryption (P2PE), 3-D Secure (3DS), Token Service Provider (TSP), or Software-based PIN on COTS devices (SPoC) can present an opportunity to consolidate audit activity.

Without a doubt, the movements of the PIN security requirements and PIN assessor program to the PCI SSC warrant consideration for any organization that accepts (or will accept) PINs for retail and banking transactions. This transition is not unlike the events that occurred in 2004 when the card brands recognized that their respective security programs (e.g., Visa Cardholder Information Security Program, Mastercard Site Data Protection, etc.) could be best managed under one common standard—what ultimately became the PCI Data Security Standard. And as it did as one of the inaugural QSA companies in 2004, Coalfire will lead the way through this transition as one of the principal companies ready to continue providing these crucial PIN security assessments.