PCI PIN Basics Webinar from the Controlcase Team

PCI PIN Basics
WEBINAR
YOUR IT COMPLIANCE PARTNER
GO BEYOND THE CHECKLIST

ControlCase. All Rights Reserved. 2
Agenda
Introduction to
PCI PIN
Brief look into
the standard
Scope and
Applicability
Certification
Process
01 02 03
04
Q&A
05

Biju John
Sr. Vice President
Chad Leady
Director Strategic
Accounts
Presenters:

ControlCase
Snapshot
© ControlCase. All Rights Reserved.

© ControlCase. All Rights Reserved. 5
ControlCase Overview
Best-in-Class
Compliance
Platform
 ControlCase is revolutionizing the way enterprises and organizations deal with the numerous and
frequently changing IT compliance and regulatory requirements
 Proprietary software, including appliance and SaaS solutions, that enable CaaS (GRC and Data Discovery)
 Compelling proprietary offering combining proprietary software, certification/audits, and managed services on a
single platform.
 One AuditTM enables our clientele to Assess once: Comply to Many
 Leadership positions in the PCI DSS, SOC 2, ISO 27001, HIPAA, HITRUST, FedRAMP and CMMC domains
 Serving over 1,000 customers
 Global footprint with offices in the U.S., LATAM, Europe, India, Canada, and UAE
 Leverages an offshore delivery infrastructure for competitive advantage
 IT compliance manager for multiple industry segments including banking, service providers, retail,
hospitality, and telecom
Global Vision
& Solutions
Enhancement
Provider of Compliance as a Service (CaaS)
subscription-based offering bundling proprietary GRC
software and managed services
Founded in 2004
Headquartered in Fairfax,
VA
Offices in U.S., Canada,
India
250+ employees

ControlCase Snapshot
CERTIFICATION AND CONTINUOUS COMPLIANCE SERVICES
Go beyond the auditor’s checklist to: Dramatically reduce the time, cost, and burden of maintaining IT compliance and becoming certified.
Demonstrate
compliance more
efficiently and cost
effectively (cost
certainty)
Free up your internal
resources to focus on
other priorities
Offload much of the
compliance burden to a
trusted compliance
partner
Improve efficiencies
by doing more with
less resources and gain
compliance peace of
mind
1,000+
CLIENTS
10,000+
IT SECURITY
CERTIFICATIONS
275+
SECURITY
EXPERTS

ControlCase Snapshot – Solution
Certification and
Continuous
Compliance Services
Partnership
Approach
Compliance
HUB
+ =
IT Certification
Services
Continuous
Compliance
Services
&

Certification Services
One Audit
Assess Once. Comply to Many.
PCI DSS ISO 27001
& 27002
SOC 1,2,3 & SOC
for Cybersecurity
HIPAA
MARS-E PCI P2PE GDPR NIST 800-53
PCI PIN PCI SSF/SLC CSA STAR HITRUST CSF

What are the
PCI Standards

• Established in 2006 by leading
payment card issuers.
(VISA, MasterCard, American Express,
JCB International & Discover Financial
Services, UnionPay)
• Develop and maintain PCI Security
Standards and Programs
• Provide training, tools and
educational resources to support
PCI Security Standards
implementation and compliance
• Maintains the PCI Family of
Standards.
What is the PCI Security Standards Council?

PCI SSC Family of Standards
PCI DSS Security of Environments that store, process or transmit account data
PCI SSS Securing Payment software that handles payment data
PCI SSLC Guidelines to Software vendors to securely develop payment software
PCI P2PE Enables secure payment transactions by securing end-to-end communication.
PCI TSP Requirements for token service providers for EMV Payment tokens
PCI CPP Physical and logical security requirements for card production and provisioning
PCI 3DS Requirements for entities that implement 3DS Payment solution
PCI PTS – PIN Security Secure management, processing and transmission of PIN data

What is PCI PIN Security?
Set of requirements for the
secure management,
processing, and
transmission of personal
identification number (PIN)
data and related encryption
keys.
Applies to online and
offline payment card
transaction processing at
Point of Interaction (POI)
devices – ATMs, Point-of-
sale (POS) terminals,
MPoC devices etc
 Current Version 3.1
 Valid for 2 years
 Performed by QPA
 Compliance by Card
brands
 Standard maintained
under PCI SSC
 Report on Compliance
(ROC) and Attestation
of Compliance (AOC)

Who does PCI PIN apply to?
• Acquiring Institutions
• Processors
• Third-party Agents– Acting on behalf of an
Acquiring entity
• Management of Cryptographical keys
associated with PIN-based payments
• Key Injection Facility (KIF)
• Certificate Authority (Remote Key
Distribution)
• Any other entity as directed by participating PCI
Brands
PCI PIN is NOT applicable for Issuing Processing Entities

Involvement of Card Brands
• As mandated by the participating Brand
• 2 Years
• Payment Brand is responsible for
• Tracking and Enforcing
• Penalties, fees, compliance deadlines
• Validation process and who needs to
validate
• How frequently do entities need to
validate
• PIN Assessor requirements around
rotating assessors for repeated
assessments
• Forensic Investigations
Entities and Assessors should consult with the
Payment Brand directly to understand each
brand’s validation criteria and reporting
requirements.

Overview of the PCI PIN v3.1 Standard
 Seven control objectives
and 33 requirements
- Transaction Processing Operations
• 2 Normative Annexes
- Remote Key Loading
- Key Injection Facility (KIF)

7 Control Objectives
Control Objective 2:
Cryptographic keys used for
PIN encryption/decryption
and related key management
secured at all times.
PINs are processed
using equipment and
methodologies that
ensure they are kept
secure.
Key-loading to HSMs
and POI PIN-acceptance
devices is handled in a
secure manner.
Keys are conveyed or
transmitted in a secure
manner
Keys are administered in
a secure manner.
Keys are used to prevent
or detect their
unauthorized usage.
Equipment used to
process PINs and keys
is managed in a secure
manner.

Normative Annexes
Remote Key -
Distribution Using
Asymmetric
Techniques Operations
Remote key distribution
using asymmetric
techniques for the
distribution of acquirer
keys to transaction-
originating devices (POIs)
Certification and
Registration Authority
Operations
Operations of
Certification and
Registration Authority
platforms used in
connection with remote
key-distribution
implementations
Key-Injection
Facilities
Specific requirements
for key-injection
facilities for the
loading of acquirer
keys
A1 A2 B
Normative Annex A Normative Annex B

Important Dates
• 1 January 2023: Fixed key is not acceptable. Only Master/Session or DUPKT
• 1 January 2023: Key Blocks for external connections to Associations and Networks.
• 1 January 2023: PC-based key-loading software platforms or similar devices (e.g., modified PEDs) cannot
be used.
• 1 January 2024: Loading of cleartext private and secret key components/shares into HSM must use an SCD.
• 1 January 2024: Encrypted key injection for POI v5 and higher devices for entities engaged in key injection
on behalf of others.
• 1 January 2025: Implement Key Block to extend to all merchant hosts, point-of-sale (POS) devices, and
ATMs.
• 1 April 2025: Non-console HSM access must use a TLS connection.
• 1 January 2026: Encrypted key injection for POI v5 and higher devices for all entities.
18

What is the PCI PIN Certification Process?

Why
ControlCase

Summary – Why ControlCase?
Partnership
Approach
Continuous
Compliance
Services
Compliance
HUB
“They provide excellent service,
expertise and technology. And, the
visibility into my compliance
throughout the year and during the
audit process provide a lot
of value to us.”
— Dir. of Compliance, SaaS company

Q&A – Open
Forum

Q &A
© 2020 ControlCase. All Rights Reserved. 23
Q1. We understand that PIN applies to acquirers. We don’t manage ATMs and POI devices.
Can we still be certified under PIN?
Ans: Yes, the PIN can be certified to acquirers who handle the PIN transaction regardless of whether
they own or manage ATMs or POI devices. We review the PIN transaction processing area and
validate the applicable controls.
Q2. Is a Host Security Module or HSM mandatory for PIN assessment? If yes, should it be PCI
PTS or FIPS certified?
Ans: HSM is an integral part of PIN assessment. It processes key management and is the only device
that can see clear-text PINs and clear cryptographic keys. PICI PTS or FIPS 140-2 level 3
certification is mandatory. Note that the client should not only be certified but also demonstrate that it
is implemented in compliance mode.
Q2.1 Can they use cloud HSMs?
Ans: Yes, many cloud HSMs are available that are certified under FIPS 140-2 Level 3 and acceptable
for financial transactions.

Q &A
© 2020 ControlCase. All Rights Reserved. 24
Q3. There are additional controls that are applicable based on new dates. Are there any
compensating controls if an entity cannot meet those dates:
Ans: These controls are part of the standard and must be compliant. However, if the controls cannot
be met due to business or technical constraints, compensating controls can be considered. It's
important to note that compensating controls may be reviewed by the brands.
Q4. Visa has updated its PIN assessment guidelines. What are the changes:
Ans: In its recent program update, Visa informed that PCI PIN validation documents need not be
submitted to Visa, and the Visa Global Registry will not be updated. One other notable observation is
that the same QPA may perform the assessment for more than two cycles for the same entity.

Thank you for the
opportunity to contribute to
your IT compliance program.
For additional queries/support
Biju John
bjohn@controlcase.com
+1 571-412-9898

950 HOURS
ControlCase Compliance & Certification Process
AVERAGE TIME SPENT ON COMPLIANCE & CERTIFICATION OF 1 ENVIRONMENT WITH 4 PARALLEL CERTIFICATIONS (PCI DSS, ISO 27001, SOC2 & HIPAA)
BY PARTNERING WITH CONTROLCASE:
CONSOLIDATED
PRE-
CERTIFICATION
ASSESSMENT
STRATEGY
CALL
COMPLIANCE
HUB
SETUP
SCOPING SUBMISSION
TO
ACCREDITATION
BODY
ON-SITE
ACCREDITATION
BODY
REQUIREMENTS
QUALITY
ASSURANCE
REQUIREMENTS
REPORT
RELEASE
COMPLIANCE
1 2 3 4 5 6 7 8 9 10
CERTIFICATION
Collect once & use for
multiple regulations
MANUAL
EVIDENCE
COLLECTION
AUTOMATED
EVIDENCE
COLLECTION

TIME SAVED THROUGH MULTI-REGULATION MAPPING/ONE AUDIT
* Based on 1 environment with 4 parallel certifications (PCI, ISO, SOC2, & HIPAA).
CONSOLIDATED
PRE-CERTIFICATION
ASSESSMENT
STRATEGY
CALL
COMPLIANCE HUB
SETUP
SCOPING AUTOMATED
EVIDENCE
COLLECTION
MANUAL
EVIDENCE
COLLECTION
ControlCase Compliance Process
Collects region information,
list of instances running in
all regions, and public
IP addresses.
• Cloud Locations
• Collect Inventory
• Assessor Creates
Samples
Tools required to collect
evidence automatically, run
data discovery, run remote
vulnerability assessment,
and penetration test.
• Determine Environment
• Determine Target
Certification Dates
• PCI DSS
• Data Flow &
Processes
• Policy & Procedures
• Physical Security
• HR & Incident
Response
• VAPT
• L&M
• CDD
• ACE
Collects time
consuming evidence
such as firewall ruleset,
system hardening,
password policy,
security patches etc.
• Network Mgmt.
• Configuration Mgmt.
• Antivirus
• Patches & Security
Policies
• Logging & Monitoring
1 2 3 4 5 6
Collect once & use for multiple regulations
TIME SAVED THROUGH AUTOMATION
900 HOURS* 350 HOURS*

Compliance Evidence Overlap
Regulation(s) Completed Other Regulations Status Based on Questions Overlap
PCI SOC 2 ISO 27001 HIPAA
100% Complete 49.1% (84) Complete 67% (77) Complete 76.1% (54) Complete
50.9% (87) No Evidence Uploaded 33% (38) No Evidence Uploaded 23.9% (17) No Evidence Uploaded

Question.
No.
Topic Question ControlCase
Integrated
Standard
PCI DSS
3.2.1
ISO
27001
HIPAA SOC2
4 Scoping Provide your asset list, a list of the software, databases, data storage locations, Sample Sets, and other related data elements. CC4 X X X X
28
Data
Encryption
at Rest
Provide the following for all filesystems, databases and any backup media:
• Details on the method (encryption, hashing, truncation, tokenization) being used to protect covered information in storage
• Evidence (screenshots or settings) showing covered information is protected. For encryption method, please share the evidence of
its associated key management.
• Documented description of the cryptographic architecture that includes:
1. Details of all algorithms, protocols, and keys used for the protection of cardholder data, including key strength and expiry date.
2. The function of each key used in the cryptographic architecture.
3. Inventory of any HSMs and other secure cryptographic devices (SCD) used for key management (to be provided in inventory
as part of Q4).
CC37 X X X X
44
Logical
Access
Provide the organizational access control policy. CC63 X X X X
50
Logical
Access
For all assets identified in the sample provide evidence of logical access account and password features to include:
CC69 X X X X
67
Logging and
Monitoring
For the sample, provide the audit log policy settings. CC95 X X X 67
77
Security
Testing
Provide external penetration test reports for network and application layer. CC115 X X X 77
Compliance Requirement Overlap
- Account lockout policy
- Account lockout duration
- Session timeout policy
- Password length
- Password complexity
- Password history
- Password expiry

Average Time for Compliance & Certification
AVERAGE TIME SPENT BY CUSTOMER ON COMPLIANCE & CERTIFICATION OF 1 ENVIRONMENT WITH 4 PARALLEL CERTIFICATIONS PCI DSS ISO 27001 SOC2 HIPAA TOTAL
Compliance / Evidence Collection 400 hrs. 400 hrs. 400 hrs. 400 hrs. 1,600 hrs.
Certification Support 150 hrs. 150 hrs. 150 hrs. 150 hrs. 600 hrs.
EVIDENCE COLLECTION & COMPLIANCE TOTAL
Time Saved through ControlCase Multi-Regulation Mapping/One Audit 900 hrs.
Time Saved through ControlCase Automation 350 hrs.
Total time spent on evidence collection by using another auditor 1,600 hrs.
Total time spent on evidence collection partnering with ControlCase 350 hrs.
CERTIFICATION SUPPORT TOTAL
Total time spent on certification support using another auditor 600 hrs.
Total time spent on certification support partnering with ControlCase 600 hrs.
TOTAL TIME SPENT
ON COMPLIANCE & CERTIFICATION
USING ANOTHER AUDITOR
2,200 hrs.*
TOTAL TIME SPENT
ON COMPLIANCE & CERTIFICATION IN AWS
BY PARTNERING WITH CONTROLCASE
950 hrs.*
TOTAL TIME SAVED
ON COMPLIANCE & CERTIFICATION
BY PARTNERING WITH
CONTROLCASE
1,250 hrs.*

1,600 HRS. EVIDENCE COLLECTION* 600 HRS. CERTIFICATION SUPPORT*
350 HRS. EVIDENCE
COLLECTION*
600 HRS. CERTIFICATION SUPPORT*
2,200 hrs. total time
spent on compliance &
certification using
another auditor*
950 hrs. total time spent
on compliance &
certification by partnering
with ControlCase*
Compliance & Certification Time Savings

Certification Technology Footprint
ACE
• Automated Compliance Engine
• Can collect evidence such as configurations remotely
CDD
• Data Discovery Solution
• Can scan end user workstations for card data
1 2

CONTINUOUS COMPLIANCE
OVERVIEW
33

Continuous Compliance
“The continuous compliance
monitoring is a big value add to
their audit and certification
services, which is good for
organizations that don’t have the
team in-house. It’s a big
differentiator for them.”
— VP of IT,
Call Center / BPO Company
70% of companies' assets
are non-compliant at some
point in the year.
Go beyond monitoring and alerting to predict,
prioritize and remediate compliance risks before
they become security threats.
Address common non-compliant situations that
leave you vulnerable all year long, including:
• In-scope assets not reporting logs
• In-scope assets missed from vulnerability scans
• Critical, overlooked vulnerabilities due to volume
• Risky firewall rule sets go undetected
• Non-compliant user access scenarios not flagged
“

Continuous Compliance Services
WHAT IS
BENEFITS OF
DELIVERABLE OF
• Eliminates the need for potential
major last minute audit findings
• Reduces effort for final audit by
approximately 25%
• Reduces the risk of technical
shortcomings such as:
• Quarterly scans missed
certain assets
• Logs from all assets not
reporting
• Quarterly review of 20-25 high
impact/high risk questions
• Technical review of vulnerability
scans, log management, asset
list, and other available
automated systems

Predictive Continuous Compliance Services
Continuous Compliance Component PCI Requirement Met
Firewall rule-set analysis 1
Configuration scanning 2
Searching of cardholder data within environment 3
Secure coding developer training 6
Application security scanning 6
Logging platform 10
File integrity monitoring platform 10
Review of logs and alerts to meet PCI DSS requirements 10
Secure storage and archival of parsed logs 10
Internal vulnerability scanning 11
External vulnerability scanning (ASV approved scan) 11
Internal penetration testing 11
External penetration testing 11
Application penetration testing 11
Distribution and attestation of annual security awareness training 12

Predictive Continuous Compliance Services
What is Continuous
Compliance?
Benefits of Continuous
Compliance
Deliverables of
Continuousness
 Quarterly review of 20-
25 high impact/high risk
questions
 Technical review of
vulnerability scans, log
management, asset list,
and other available
automated systems
 Eliminates the need for
potential major last minute
audit findings
 Reduces effort for final
audit by approximately 25%
 Reduces the risk of
technical shortcomings such
as:
 Quarterly scans missed
certain assets
 Logs from all assets not
reporting
 Quarterly-compliant/non-
compliant status on
dashboard by activity
area
 Risk rating every quarter

ControlCase Snapshot – Automation-driven
Compliance HUB Portal — Automation-driven Certification and Continuous Compliance
Compliance HUB Portal
Automation Driven

Quarterly Questions
No. Meeting Topic: Scoping ControlCase Questionnaire Reference
1
Review of scoping information:
• Review of DFD
• Review of Network Diagram
• Review of Asset Inventory
• Review of in-scope locations
Q1, Q2, Q3, Q4, Q5, Q7, Q8
No. Meeting Topic: Significant Infrastructure Changes ControlCase Questionnaire Reference
2 Review of significant changes records Q41
3 Review new installations for hardening process Q23

Quarterly Questions
No. Meeting Topic: Security Scans & Tests ControlCase Questionnaire Reference
4 Review of quarterly VA scan report Q74
5 Review of quarterly ASV scan report Q75
6 Review of quarterly wireless scan report Q72
7 Review of semi-annual segmentation test report Q79
8 Review of semi-annual firewall ruleset review Q11
9 Review of a recent secure code review reports Q37
No. Meeting Topic: PCI Controls Review ControlCase Questionnaire Reference
10 Review quarterly compliance review and communication to Top Management (PCI DSS Charter) Q87
11 Quarterly user access review Q48
12 Store POI (PIN PAD) verification process Q65, Q66
13 Review of platform specific logs for completeness and daily log review process Q68, Q71
14 Review of in-scope third party service providers list and PCI compliance status, due diligence for new vendors Q90, Q91, Q92
15 Review of sample tickets for new user access creation, modification and removal Q46, Q47, Q59

Continuous Compliance Technology Footprint
ACE
• Automated Compliance
Engine
• Can collect evidence
such as configurations
remotely
CDD
• Data Discovery Solution
• Can scan end user
workstations for
card data
VAPT
• Vulnerability
Assessment and
Penetration Testing
• Can perform remote
vulnerability scans and
penetration tests
LOGS
• Log Analysis and
Alerting
• Can review log settings
and identify missing
logs remotely
1 2 3 4

PCI PIN Basics Webinar from the Controlcase Team

More Related Content

What's hot (20)

Similar to PCI PIN Basics Webinar from the Controlcase Team (20)

More from ControlCase (20)

Recently uploaded (20)

PCI PIN Basics Webinar from the Controlcase Team