You are here:

PCI PIN validation

PCI PIN Standard consists of requirements for the secure management, processing, and transmission of personal identification number (PIN) data during online and offline payment card transaction processing at ATMs and attended and unattended point-of-sale (POS) terminals.

The purpose of a PCI PIN Assessment is to assess that organizations are securely managing, processing, and transmitting PIN data during online and offline payment card transactions.

    SC2labs provides PCI PIN validation service as a qualified PCI QPA  Assessor

certified by the PCI Security Standards Council.

In general, the requirements of the PCI PIN standard must be met by all organizations or its supporting 3rd parties that accept or process transactions from ATMs or point-of-sale terminals on the acquiring side. This applies in particular to banks, payment providers and network operators.

According to the requirements of Card Brands, those service vendors providing Key Injection Facilities (KIF) and Certification Authority are subject to Self-Assessment Questionnaire or a QPA assessment completed by a PCI SSC Qualified Pin Security Assessor (QPA).  All acquiring institutions and agents (e.g., key-injection facilities and certificate processors) responsible for PIN transaction processing on the payment card industry participants’ denominated accounts should be required to complete a Self-Assessment Questionnaire or complete an audit by PCI SSC authorized Qualified Pin Security Assessor (QPA).

Organizations are required to have an onsite assessment conducted by a Qualified PIN Assessor (QPA) every 2 years.

A PCI PIN Assessment involves encryption and key management of PIN transactions, as well as the secure management of processing equipment. POS devices (where you enter your PIN) and the hardware security module (HSM) used to decrypt the PIN and manage the keys are all key parts of a PIN Assessment. Your PIN is encrypted and its unique key is stored on the device. Any part of this chain–processing the PIN and managing keys used to protect the PIN–is considered in scope.

Kickoff and Planning

The kickoff is considered the start of the engagement after the agreement is executed. We will discuss the certification process, identify the point of contact from both organizations and timelines for assessment, define a project roadmap and plan the next steps.

One of the most important steps is the PIN scoping workshop to identify the systems that, at a minimum, need to be included in the scope of PCI PIN.

Formal validation

The PCI PIN Assessment of Compliance is the formal process where an accreditated Qualified Pin Security Assessor will conduct on-site interviews, system configuration sampling, technical tests and document reviews. Testing and gathering is the core of compliance engagement. The results of the on-site assessment are documented.


The report will be provided within 3 weeks of the last day of successful completion (all required documents are delivered and collected by the QPA auditor)

The deliverables include:

  • RoC – Report on Compliance

  • AoC – Attestation of Compliance

Continual Support

After your successful certification, we provide continual support in the ongoing maintenance of the organization’s compliance - we will provide and discuss changes to the security standard itself, as well as explain and support with emerging issues and questions.