How to Prepare for a PIN Assessment: The 3 Phases

No matter the standard, compliance assessments are tricky.

We’ve heard it time and time again from our clients, how once they know they’ve got assessors coming in to take a poke around, they do all they can to be ready.

But a lot of times, they’ll still hear that little voice in the back of their minds, wondering if it’s all been enough to pass the evaluation. Sometimes, you think, it might be nice to have a checklist of sorts—or even just some guidelines.

We’ve got good news for you.

Nobody expects you to understand the nuances of details found within a compliance standard until undertaking it firsthand, especially one like PIN that can get very complicated very quickly. But what we can do for you, right now, is provide definitive guidance for correctly scoping your PIN assessment.

We want to help you prepare as best you can for one of these reviews so as to ease your mind going in and alleviate the stress as much as possible. We’ve identified two major steps required to adequately prepare for your PIN assessment, and we’re going to break them down and provide specific direction on each.

3 Steps to Get Ready for a PIN Assessment 

1.    Identification

It’s all about the data!

Recall that the PIN assessment evaluates the security of relevant data flows and the elements involved.  Knowing that, the best first step you can take to prepare is to clearly and completely identify the systems, personnel, and data involved in these information interchanges.

Consider these questions:

  • Which of your systems receive, process, or transmit PIN data?
  • Which of your systems perform encryption or decryption operations?
  • Is the format of PIN data changed?
  • How are keys managed?
    • This applies to key generation, loading, conveyance (receiving and transmitting), destruction, backups, etc.
    • Can involve additional equipment that is specific to the vendor (i.e., interacting with an HSM) or for storing key backups on a card in a safe.
  • What third-party service providers are used?
    • Most common examples include key-injection facilities, data centers, and certificate/registration authorities.
  • What physical and logical access controls govern access to these systems?

We know—that is a lot to identify. But on the bright side, accomplishing this heavy lift gets you largely there in terms of prep. You’ll understand the data traversing systems, how that data is encrypted and decrypted, the systems responsible for performing key management, the staff necessary to keep this service running, and any third-party service providers used.

One important thing to remember as you attempt to capture everything is that some of your systems may be used in multiple processes. PIN isn’t like some other similar standards you may already know—it deviates from the networking and logical segmentation controls, and so you’ll need to consider linkages more carefully.

More specifically, look at your Hardware Security Module (HSM), which is often the core of all encryption and decryption operations, PIN format changes, and key management operations.

A Second Look at HSM

If you are, in fact, responsible for the physical controls of an HSM—meaning, your organization maintains a secure room, ask yourself and answer the following questions:

  • What are the physical controls in place? The following are required for most implementations:
    • Physical barriers
    • Video surveillance
    • Badge readers
    • Alarms
  • For the physical controls, which are maintained by your organization versus a third party?

2.   Documentation

Once you’ve identified everything you need to, your last move to prepare for a PIN assessment requires documentation of it all. We know, very few people wake up in the morning and think, “let’s write all this down,” but evidence is key to every audit, including this type of evaluation.

In our experience reviewing organizations against this standard, the likelihood of current policy documentation meeting the requirements is not bad, but the procedures can be an entirely different story. Let’s ensure that both are evidenced clearly for your organization and save you a headache later.

Most of the PIN requirements include a specific reference to a process or procedure. The best means to address this is to talk with the staff and ask how it is currently performed. Does this meet the requirement?

  • If yes, write it down and confirm that other staff are following this.
  • If it does not meet the requirement, identify where the current processes are coming up short and then write this down.

While these policies and procedures are meant to be dynamic, there is a significant portion which will remain the same for years. Getting it all onto paper will be a bit arduous, but it’ll be quite a boon to your preparation when complete, and for static processes, this documentation can serve you for multiple assessments.

Documentation that must be present includes:

  • Network diagrams
  • Data flow diagrams
  • Inventory of critical systems
  • Key hierarchy
  • Key inventory
  • Key management policies and procedures
    • This one is by far the largest and contains a large array of subsets such as key generation, key conveyance, and dual control.
  • Policies and procedures for onboarding or decommissioning HSMs
  • Policies and procedures to log or record all actions taken with keys and systems involved in PIN transactions
  • PIN handling procedures for format changes
  • Incident response procedures

If you need more motivation to pull out the pen and paper, consider that this is also a great opportunity to identify where your security issues exist, or if the processes actually used by staff do not at all align with previously documented steps.

(But remember, you’re not doing this to reprimand staff or cause drama—you’re just documenting the actions taken by your staff to confirm that they are both secure and meet the requirements they are set against.)

Optional Step: A Readiness Assessment

As this is no small undertaking, if you’re someone that has not undergone a previous review of your PIN security, Schellman recommends a readiness assessment. It’ll mean more of a cost, but you may find the results worth it—together with your auditor, you’ll get a list of clear remediation items and recommendations that you can implement before beginning the full assessment.

While the readiness assessment does not review every requirement with the same level of rigor as a full assessment, it is guaranteed to put you on the successful path to a markedly easier PIN assessment.

Why do we say it’s “optional?” It’s a matter of your resources and your confidence going in, really. Some organizations prefer to do all of their preparation internally, and everything works out perfectly fine after their full assessment, whereas others prefer having that third party check their work beforehand.

Your Next Move

When it comes to those readiness assessments, Schellman has experience preparing organizations, and we’ve become quite familiar with how these PIN requirements can be both unique and how one procedure can address multiple requirements. As we continue to grow our practice in this area, we are also working to help empower other organizations who are considering a review of their PIN security—if that sounds like you, check out our article on the requirements of an assessment to understand what your controls in place will be evaluated against when the time comes.

Of course, as you get more comfortable, you may prefer to speak with someone regarding the specifics of your organization where the PIN standard is concerned, and we at Schellman are happy to set up a call to support you in feeling more at ease with this process.  

About the Author

Sully Perella

Sully Perella is a manager at Schellman who leads the PIN and P2PE service lines. His focus also includes the Software Security Framework and 3-Domain Secure services. Having previously served as a networking, switching, computer systems, and cryptological operations technician in the Air Force, Sully now maintains multiple certifications within the payments space. Active within the payments community, he helps draft new payments standards and speaks globally on payment security.

More Content by Sully Perella
Previous Article
How to Catch Mobile Traffic Escaping Burp
How to Catch Mobile Traffic Escaping Burp

Testing a mobile application and frustrated watching some traffic slip away from your settings? Learn about...

Next Article
SOC 1 vs. SOC 2: Which is Best for Me?
SOC 1 vs. SOC 2: Which is Best for Me?

Considering a SOC report but not sure which to choose? In this article, we define both SOC 1 and SOC 2 in t...


First Name
Error - something went wrong!