PCI, X9 create a single PIN security standard

Seeking to clarify how merchants and banks should handle PIN debit transactions, the Accredited Standards Committee X9 and PCI Security Standards Council have created a unified standard.

Since 2018, X9 and the PCI council have been partners in combining technical reports, requirements and testing procedures to begin a joint initiative that would eliminate the need for separate standards and processes related to accepting PIN transactions and keeping PINs safe.

Ultimately, the security organizations worked to merge their processes into one document, which has become version 3.0 of the PCI council's PIN Security requirements and testing standard.

With much of the X9 standard becoming outdated during the process, X9 approved its withdrawal from the publication to establish a new, unified single standard. X9 will continue to partner with the PCI council on future versions of the standard.

The organizations said they reached their goal to create a single PIN security standard and assessor qualification program that PCI SSC would manage.

"This is a significant win for the payments industry in that we now have greater clarity and consensus around a single PIN standard," PCI SSC senior vice president Troy Leach, said in a press release. "Our two organizations have always enjoyed a strong working relationship, and this is yet another example of us coming together to advance better payment security."

The unified PIN standard, available on the PCI SSC website, identifies minimum security requirements for PIN-based interchange transactions, and outlines the minimum acceptable requirements for securing PINs and encryption keys. It also assists all retail electronic payment system participants in establishing assurances that cardholder PINs will not be compromised.

Essentially, PCI SSC has concentrated on payments security and the detection, mitigation and prevention of cyberattacks and breaches in physical and e-commerce retail settings. At the same time, X9 has developed and maintained national and international standards for the financial services industry. Those standards include retail, mobile and business payments, corporate treasury functions, blockchain technology, processing of electronic legal orders, tracking of financial transactions and messaging through ISO, quantum computing, checks and cloud-based services.

"Our two organizations can be very proud of the results of our ongoing partnership through the PCI PIN Assessment Working Group," X9 executive director Steve Stevens said in the release. "This document contains the best of both its predecessors, and it will enable the highest level of security at the lowest possible cost."