How Long Will Your PIN Assessment Take?

The 4 Phases

Ben Franklin was a smart guy, and he had this to say about time:

“Time is money,” and “lost time is never found.”

One could argue he had incredible foresight into compliance, because both of those quotes remain extremely relevant to people like you who are taking steps to assure your customers you can be trusted with their most private information.

Part of that information includes PIN data, which is so important that it gets its own assessment for security.  If you’re someone who handles that, it’s in your best interest to bring a third party in to ensure you’re not in for any breaches or surprises otherwise.

But one of the big questions we always get as assessors is: “How long is this going to take?” 

We get it–even if you do want to provide that extra confidence to your clients, you’ve got so many competing priorities already.  It’d be difficult to squeeze in anything, much less a complex review process.

What would probably help is some more information, which is what we are here to provide you. As performers of these reviews, we’ve been through this process before with different clients, each of whom had their own scheduling particulars. Such experience has given us a greater median perspective on what newcomers to this kind of review–like you–can expect in terms of time spent.

To put it succinctly, there are four phases to a PIN assessment that should take about three weeks altogether. In this article, we will break down the rough intervals of each phase, as well as a timeline for the whole process so that you can feel better about finding the time to fit this in and thereby better assure your customers of your security.

And then, with that completed PIN assessment in hand, everyone involved with your organization will feel more comfortable putting that data in your charge.

Let’s get started. 

The 4 Phases of a PCI PIN Assessment

Let’s establish what we’re talking about first–this type of assessment reviews how you protect PIN data through the following:

  • Key management and exchange processes; 
  • The secure decryption and re-encryption of this information;
  • The protection of systems handling PIN data; and 
  • Ongoing support for these operations.

All PIN assessments follow a standardized process and are led by experienced Qualified PIN Assessors (QPAs).  That process has four phases: Planning, Understanding, Testing, and Reporting.

 

Planning Phase - One Day

Like all compliance endeavors, a large amount of planning is involved.

  • Scoping: To get started, your assessor will need to understand exactly how you support PIN transactions before defining your assessment scope. They’ll do that by going through the following:
    • Your data flows to identify the systems receiving encrypted PIN values, HSMs or systems involved in decryption/encryption operations;
    • The personnel involved in both support operations and maintaining those systems; and
    • The associated policies and procedures.

Based on that, your assessor will create an information request list that correlates to specific PIN control objectives and decide which requirements are applicable to your organization based on what you handle.

  • Kick-off Call: After the scope is designated, this will signify the beginning to the actual assessment. Project plan, timelines, deliverables, and evidence requests will be reviewed in tandem with your assessor. Not only does this meeting serve as a formal introduction between parties, but it is also a collaborative meeting to identify any limitations, project hurdles, or compliance dates.
  • Required Document: The PCI SSC maintains feedback forms on their website to evaluate an assessment, a QPA Company, or a specific assessor. The PCI SSC asks that you submit this form at the completion of the assessment.

 

Understanding Phase - Approximately One Week

A PIN assessment is frontloaded, and this phase is proof. You will work together with your assessor on the following:

  • Identification: Identify what could be major items as early as possible so as to give you enough time to remediate any findings before the later phases.
  • Specific Documentation and Evidence Requests:
    • Typical requests include policies and procedures, configuration dumps, change control tickets, network and data flows, or system outputs.
    • PIN assessments are largely grounded in the documentation for how keys are generated, exchanged, protected, destroyed, backed-up, and recorded.
    • Assessors receive notification as items are posted and can begin their review accordingly.

** It is not uncommon for some additional tasks to be created as your assessor’s understanding of the environment grows or as new details of business operations come to light.

  • Internal Feedback: For any items where your assessor finds gaps or has questions, you will have the opportunity to provide the answers or more information.

 

Testing Phase - Approximately 1 Week

This phase is designed to close gaps and complete observations for the report.  

  • Remote and/or In-Person Assessments: Meetings will be scheduled between your relevant personnel and your assessor for interviews and demonstrations of controls or configurations in place.
    • PIN assessments do not require the installation of software or equipment to perform testing.  However, physical controls over data centers, HSMs, and secure rooms do have tests that necessitate specific actions be taken–these include the review of video surveillance, physical access logs, and the activation of alarms.
  • Remediation: You will have the opportunity to close any gaps revealed by testing.
  • Closing Meeting: During this conclusion of this remote or in-person phase, you’ll be provided with a comprehensive summary of the project status and final steps.

 

Reporting Phase - Approximately One Week

Time to put it all together.

  • Annotation: For almost every requirement within the control objectives, your assessors will need to note the policies and procedures reviewed, the staff interviewed, and the results from our observations or our review of the evidence collected.

  • Report Issuance: When that’s complete, your assessor will send you a draft Report on Compliance (ROC) and Attestation of Compliance (AOC) for review.

    • PIN ROCs and PIN AOCs are created with templates provided by the PCI SSC.

  • Report Submission: After any corrections and confirmation of the content therein, both you and your assessor will sign the AOC, and documentation is submitted to the payment brands.

Next Steps for Your PCI PIN Assessment

Overall, a PIN assessment takes approximately three weeks.  However, how long it takes you will depend on your scope of work, availability, and the type of services you offer.  Like with other assessments, when you have to include additional functionality, it increases the amount of time and work necessary to complete an assessment––you might even need an on-site visit to some locations, depending on certain things.

For more information on that, keep an eye out for our forthcoming blog on what an on-site visit will entail for you.

But regardless, we know that it’s going to take some effort to coordinate the availability of local staff and key custodians while navigating conflicting schedules.  That’s something to tackle in the planning phase with your assessor as your scope gets established and you begin to understand better who will be needed.

And now that you’ve got a rough idea of how much time this is going to take you, there’s actually something you can do to streamline your PIN process even more.  Make old Ben Franklin proud and ensure you don’t lose precious time–read our article regarding how to prepare for a PIN assessment. In there, we provide two clear phases of prep that will surely help cut down your time spent on this all the more.  

After you do that, you’re likely to have your eye on actually proceeding with such a review, and we’re happy to speak with you regarding how else to ensure you have a smooth experience.  We can talk through everything, including all the possibilities so as to find the easiest way to fit these steps within your already-established internal schedules.

About the Author

Adam Perella

Adam Perella is a manager at Schellman who leads the PIN and P2PE service lines. His focus also includes the Software Security Framework and 3-Domain Secure services. Having previously served as a networking, switching, computer systems, and cryptological operations technician in the Air Force, Adam now maintains multiple certifications within the payments space. Active within the payments community, he helps draft new payments standards and speaks globally on payment security.

More Content by Adam Perella
Previous Article
CMMC 2.0 Scoping Insight: 2 Tips For Using PCI Context to Understand Your Potential Scope
CMMC 2.0 Scoping Insight: 2 Tips For Using PCI Context to Understand Your Potential Scope

As we prepare for the launch of CMMC, we explain how to use more familiar compliance territory to understan...

Next Video
Vulnerability Scanning for PCI and FedRAMP
Vulnerability Scanning for PCI and FedRAMP