- Acquiring (including ISOs)
- Processing
- Storage
- Transmission
- Key-injection facilities (KIFs)
- Certificate and registration authorities (CAs and RAs)
In addition, other entities may fall into scope if directed by a participating payment brand to perform a PIN Assessment.
How often is a PCI PIN Assessment done?
PCI PIN Assessments are done every 2 years.
What is the process of a PCI PIN Assessment?
The PCI PIN Assessment process will depend heavily on the client’s environment. A PIN Assessment is generally more complicated than a regular PCI DSS Assessment. Analysts must assess both the operational front end and the decryption environment. This includes the payment processing equipment as well as strict and detailed key management processes. To put it in perspective, a PCI DSS Report on Compliance (ROC) usually has around 18 to 20 pages devoted to key management, while a PCI PIN Report on Compliance may have over two hundred.
SecurityMetrics works with businesses of all maturity and experience levels to establish processes and maintain PCI PIN compliance year after year. The PCI PIN ROC format is fixed by the PCI Security Standards Council and should not vary depending on the security vendor.
After the report is complete, it will be sent to the card brands.
How much does a PCI PIN Assessment cost?
PCI PIN Assessments start at around $50,000, but price will depend on a few factors. These include the amount of consulting time necessary to prepare for the PIN assessment and the number of locations that need to be assessed.
Get my free SecurityMetrics PCI Guide
Is SecurityMetrics a Qualified PIN Assessor?
Yes, SecurityMetrics is a Qualified PIN Assessor, or QPA.
From the PCI Council: “Qualified PIN Assessor (QPA) Companies are security organizations that have been qualified by the Council to validate an entity's adherence to the PCI PIN Standard. QPA Employees are individuals who are employed by a QPA Company and have satisfied all requirements to perform PCI PIN Assessments as described in the QPA Qualification Requirements.”
Why Work With SecurityMetrics for your PCI PIN Assessment?
Since the beginning of the P2PE standard, SecurityMetrics has been working with the PCI Security Standards Council to help companies develop secure and compliant key management and encryption solutions. Now with the PCI PIN standard, we are able to use that in-depth knowledge to help companies achieve PIN compliance.
As a full-service cybersecurity and compliance firm with over 20 years in PCI, SecurityMetrics is one of a handful of companies certified by the PCI Security Standards Council to complete PCI PIN Assessments. Our assessors have decades of experience in PCI DSS compliance and P2PE Assessments, and have completed over 2,000 security audits in unique payment environments. Our customers are all over the world and from all industries.
Security audits are inherently complicated; SecurityMetrics uses innovative solutions to keep communication fluid and help streamline your audit. Assessors and supporting teams provide customers with a simplified way to facilitate documentation and keep them on track with project management software.
Mark Miner is a Principal Security Analyst and Assessor at SecurityMetrics. He has over 21 years of experience in network security. Mark has current CISSP, QSA (P2PE), PA-QSA (P2PE) certifications, and his expertise has been focused on Payment Card Industry (PCI) security for the past 8.5 years. He has performed over 115 PCI and PA-DSS assessments.
