In recent years, the digitization of the payment ecosystem has taken off and today most large businesses, e-commerces and organizations, whether B2B or B2C, have credit card payment methods.
In parallel, more advanced systems have begun to proliferate, such as NFC payments, which allow users to make payments by bringing their cell phone close to a point-of-sale terminal.
These new trends have been a breakthrough for the payment ecosystem, facilitating payment transactions and the subsequent management of consumer data. However, they have also given rise to new and potential risks and cyberthreats, both for individuals and for the companies that sell their products and services.
The B-side of this technological advance is the growing wave of cyberattacks around the world. So far in 2024, several companies and financial institutions have suffered computer attacks and theft of their databases in Spain, from Banco Santander to Iberdrola, Flexicar, El Corte Inglés or the DGT itself.
Both large and small companies can be the target of computer hacks and suffer the theft of sensitive financial information, such as card numbers, security codes or PIN numbers for face-to-face payments.
What can companies do to protect financial information and data?
Companies are reinforcing their detection, investigation and threat response (TDIR) systems and activating new SOCs (Security Operations Centers) trying to mitigate this growing wave of cyber-attacks and increase their threat detection and containment capabilities.
But above all, organizations are trying to keep up with regulations and activate the latest standards, security certifications and even new European directives, such as SWIFT, NIS 2, DORA, PS2. Also they want to comply with all the regulations and frameworks developed by the PCI SSC like PCI DSS.
The PCI DSS is the global standard that provides a baseline of technical and operational requirements designed to protect cardholder data.
This standard applies to all entities involved in the processes of storing, processing and/or transmitting cardholder data and/or sensitive payment card authentication data, including: Merchants (merchants) and Processors.
Earlier this year the PCI Security Standards Council released the new version of this standard. Version 4 introduces important changes from the previous version, such as the customized approach. This method allows the organization to implement controls to meet the objectives of the customized approach in a way that does not strictly follow the defined requirement.
The PCI DSS is just one piece of the complex puzzle of security regulations. In addition to this certification, there are various frameworks and regulations such as sPoC, MPoC, CPoC, PCI SSF, PCI 3DS or PCI PIN. The latter is of interest both to consumers, who may see their banking data compromised, and to companies, which must work to ensure that this does not happen.
Payment Card Industry PIN Security (PCI PIN) is the security standard that defines the set of requirements for managing, processing and transmitting personal identification number (PIN) data during transactions or payments.
In this sense, PCI PIN ensures the protection of PINs during card payment processing. But are companies obliged to have this standard in place?
Is it mandatory to follow the PCI PIN standard?
The PCI PIN security standard applies to different entities such as banks, payment processors and service providers that handle PIN-based card transactions.
Service providers subject to this standard include those that perform activities such as acquiring, processing, storing or transmitting PIN-based payment transactions; as well as those that provide encryption management services associated with PIN-based payments, such as Key Injection Facilities (KIFs) and Certification and Registration Authorities (CAs and RAs).
In fact, other entities may be included within the scope of the PCI PIN if it is indicated by a participating payment brand.
Companies that audit their PCI PINs project greater confidence to consumers
The PCI PIN standard ensures the security of online and offline card payments at ATMs, but also at attended and unattended point-of-sale (POS) terminals.
For this reason, companies that choose to audit the operation of their PIN data collection system and implement this standard take the security of their transactions to the next level. In addition, they project greater confidence and professionalism to consumers.
PCI PIN audits help to increase the degree of competitiveness in the market compared to other companies that do not have an advanced control system for this regulation, nor can they guarantee compliance.
Currently, there are only 80 cybersecurity companies in the world certified as Qualified PIN Assessor (QPA) Companies by the PCI Security Standards Council. A2SECURE is one of the few companies that can conduct PCI PIN audits.
Would you like to strengthen your security protocols and meet stringent international PIN data protection standards? Contact us to find out how our PCI PIN audit works and the benefits it will bring to your organization.