PIN Security Requirements:
2-3 Online PINs must be encrypted using an algorithm and key size that is specified in ISO 9564. Currently, the only approved algorithms for online PIN are:
- The TDEA using the electronic code book (TECB) mode of operation, and
- AES as described in ISO 18033-3 For purposes of these requirements, all references to TECB are using key options 1 or 2, as defined in ISO 18033-3.
Note: The effective dates for supporting ISO Format 4 PIN Blocks that were previously communicated in v3.0 of the PCI PIN Security Requirements and Testing Procedures have been suspended at this time.
Due to the nature of TDEA-to-AES migration and its effect across the payment ecosystem, PCI SSC is reevaluating these dates. Revised effective dates will be communicated at a later time.
PCI SSC encourages all parties to continue their migration efforts to support ISO Format 4 PIN Blocks.
Testing Procedures:
2-3.a Interview responsible personnel to determine encryption algorithms utilized in connection with “not-on-us” acquisitions of PIN blocks.
2-3.b Examine system documentation, the list of cryptographic keys, and the network schematic to verify information provided during the aforementioned interviews:
- For internally developed systems, examine system design documentation or source code for type of key (algorithm) and key sizes used to encrypt the PIN blocks. Examine the point in the code where the calls are made to the hardware security module.
- For application packages, examine parameter files (e.g., the Base24 KEYF file) to determine type of key (algorithm) and key sizes used to encrypt PIN blocks.
2-3.c Examine the HSM configuration to ensure that the PIN translation encryption algorithms are only TDEA and/or AES.
2-3.d Examine the algorithm type parameter (to ensure it denotes TDEA and/or AES) and hardware-encryption-required parameter (if applicable, to ensure it indicates hardware encryption—not software encryption) on every terminal link, network link, and if applicable, internal path (i.e., if using an intermediate key) for the host application.
