PCI PIN Security v3.1

PIN Security Requirements:
6-2 Multi-use/purpose computing systems shall not be used for key generation where any clear-text secret or private key or component thereof appears in memory outside the tamper-protected boundary of an SCD.
For example, it is not permitted for the cryptographic key to be passed through the memory of a computer unless it has been specifically tasked for the sole purpose of key loading. Computers that have been specifically purposed and used solely for key loading are permitted for use if all other requirements can be met, including those of Requirement 5 and the controls defined in Requirement 13 of Annex B.
Additionally, this requirement excludes from its scope computers used only for administration of SCDs, or key-generation devices that do not have the ability to access clear-text cryptographic keys or components.
Single-purpose computers with an installed SCD or a modified PED where clear keying material is injected directly from a secure port on the key-generating SCD to the target SCD (e.g., a POI device) meet this requirement. Where the components or key pass through memory of the PC, Requirement 13 of Annex B must be met.
SCDs used for key generation must meet Requirement 5.1
Note: See Requirements 5 and 13.
Testing Procedures:
6-2.a Examine documented procedures to verify that multi-purpose computing systems are not permitted for key generation where any clear-text secret or private key or component thereof appears in memory outside the tamper-protected boundary of an SCD.
6-2.b Observe generation process and examine vendor documentation for each type of key to verify that multi-purpose computing systems are not used for key generation where any clear-text secret or private key or component thereof appears in memory.
6-2.c Where single-purpose computers with an installed SCD or a modified PED are used, verify that either: