PCI Data Security Standard Big News: New Listing Program for PIN Service Providers
There's been a significant development in the world of PIN security that all PIN service providers need to be aware of. The PCI Security Standards Council (SSC) has recently announced a new listing process specifically for PCI PIN Service Providers. This is welcome news, especially as it fills a gap left by the Visa PIN program, which was sunset approximately 18 months prior to this new program's introduction.
As a Qualified PIN Assessor (QPA), I've been digging into the details, and I want to give you an overview of this new offering and what it means for the industry.
This new PCI SSC-managed program provides a centralized and standardized way for PIN service providers to demonstrate their commitment to robust PIN transaction security. It allows organizations that have successfully validated their PCI PIN Security Requirements compliance to be officially listed on the PCI SSC website.
How Does It Compare to the PCI P2PE Program?
Many of you will be familiar with the PCI Point-to-Point Encryption (P2PE) program's submission and listing process. With the overlap of requirements between P2PE and PIN, it would make sense to have a similar submission process. While there are similarities, there are also key differences in this new PIN Service Provider program.
For P2PE solutions, providers typically need to submit a set of Reports on Validation (P-ROVs) and a P2PE Attestation of Validation (P-AOV) to the PCI SSC for their solution to be listed. However, this new PIN Service Provider listing program has a more streamlined submission process. To be listed, providers only need to have their QPA submit their Attestation of Compliance (AOC) and a document called the Vendor Release Agreement (VRA) – one that is familiar to those who have other listings with PCI. This means a full ROC is not shared for the listing itself, however it will be completed as part of the assessment as usual.
Key Considerations: Optional Listing and Fees
A crucial point to understand is that, unlike the P2PE program where non-merchant managed P2PE solutions must be listed to be recognized as a PCI P2PE solution, this new PIN Service Provider listing program is optional. Entities can still choose to validate their PIN environments with a QPA without being officially listed by the PCI SSC. However, being listed offers a clear and public way to showcase your validated status to clients and partners.
In terms of investment, the PCI SSC has set the annual listing fee for PIN Service Providers at $2,500. Recognizing the value of early adoption, they are offering a significant incentive: for new submissions made through January 1, 2026, the annual fee has been reduced to $950. This is a great opportunity for providers to get listed at a lower initial cost.
Scope and Future Outlook
It's important to clarify that this new listing is exclusively for PIN Service Providers. Entities that operate as PCI DSS service providers will continue to follow the existing processes of being listed with the individual payment brands.
However, one can't help but speculate if this move by the PCI SSC signals a broader strategy. Could this be a test run for eventually unifying all service provider listings – including PCI DSS service providers – under the PCI SSC umbrella? Centralizing these listings could certainly streamline processes and provide greater clarity for the industry. While there's no official word on this yet, it’s an interesting potential development to watch.
In Conclusion
The introduction of this new PCI PIN Service Provider listing program is a positive step forward, offering a clear path for providers to demonstrate their security posture. The streamlined submission process and the introductory fee make it an attractive proposition. As QPAs, we're ready to help guide PIN service providers through the validation process, whether they choose to pursue the new optional listing or not. Stay tuned for more updates as this program rolls out!