Issuer PIN Security Guidelines - Visa
Issuer PIN Security Guidelines - Visa
Issuer PIN Security Guidelines - Visa
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Using This Document<br />
Purpose This manual provides guidelines for <strong>PIN</strong> security in the issuer domain during:<br />
• Use of issuer approved1 devices for <strong>PIN</strong> entry during transactions requiring<br />
<strong>PIN</strong> entry, for example non POS/ATM or ‘On-Us’ ATM transactions .<br />
• Cardholder <strong>PIN</strong> management .<br />
The intent of these guidelines is to manage the exposure of <strong>PIN</strong>s and associated<br />
data (processed during the types of transaction within the scope of this<br />
document) that could be used to clone cardholder payment devices for use in<br />
any payment channel .<br />
These guidelines represent best practice for issuer <strong>PIN</strong> management unless<br />
business needs dictate otherwise .<br />
Under these guidelines, issuer <strong>PIN</strong> security management is at the issuer’s own<br />
risk .<br />
Acquirer <strong>PIN</strong> security requirements for the secure management, processing,<br />
and transmission of <strong>PIN</strong>s during online and offline payment card transaction<br />
processing at ATMs, and attended and unattended point-of-sale (POS)<br />
terminals are provided in the PCI <strong>PIN</strong> <strong>Security</strong> Requirements . Cardholder<br />
<strong>PIN</strong> entry in the acquirer domain should be performed using PED/EPPs in<br />
accordance with payment-system brand requirements that relate to the PCI PTS<br />
Program<br />
This manual is designed to provide <strong>PIN</strong> security guidelines for all payment<br />
accounts that use a <strong>PIN</strong>, including those associated with magnetic stripe cards,<br />
chip cards, ‘hybrid’ cards that incorporate both a magnetic stripe and a chip or<br />
any other cardholder payment device form factor .<br />
These guidelines were derived from existing <strong>Visa</strong> and MasterCard<br />
documentation and finalized in this version by representatives of the two<br />
payment-system brands .<br />
Payment-system brand rules that relate to topics in this document supersede<br />
any guidelines on those topics .<br />
1A device, possibly provided by the issuer but not necessarily, whose use for cardholder <strong>PIN</strong> entry is permitted under conditions specified by<br />
the issuer .<br />
<strong>Issuer</strong> <strong>PIN</strong> <strong>Security</strong> <strong>Guidelines</strong> 1<br />
<strong>Visa</strong> Public © 2010 <strong>Visa</strong>. All Rights Reserved.