PCI PIN Security - Protecting Cardholder Data

What is it and why is it necessary?

The PCI Security Standards require that the cardholder data (incl. PINs) are protected at any time. All entities that are handling POS terminals (i.e. terminal distributors and manufacturers, PSPs, ISVs and merchants) need to follow these rules. 
All entities need to have appropriate processes documented and in use. All involved personnel needs to be aware of the processes.
Please use this documentation only as a guidance. The official PCI Security Standards Council’s PIN Security Requirements will always remain the applicable rules.

Your duties

Procuring and shipping terminals

  • Terminals must be procured from legitimate sources only, e.g. directly from the manufacturer or from an authorized reseller. Otherwise they cannot be used on our platform. Payworks can make the necessary introductions for you.
  • Terminals must only be shipped by companies that allow tracking of the shipments. 
  • Retain shipping documents for possible warranty and inspection issues.

Storing terminals

  • Before they are deployed, terminals must be stored in a secure place (e.g. locked cabinet or room) that can only be accessed by authorized personnel. Unauthorized individuals must not be able to access, modify, or substitute any stored terminals (see our sample list of authorized personnel).
  • Access to the stored terminals needs to be defined, documented and controlled (see our sample storage facilities log).
  • Entities storing card terminals must keep written records of all their terminals. They have to conduct regular inventory checks (at least every 6 months) and implement monitoring procedures to protect their terminals and detect lost or stolen terminals (see our sample inventory statement).

Using and managing terminals

  • Before enabling merchants to use a POS terminal, providers must educate them and give them clear instructions on how to use and store the terminal. You can use our sample merchant guidelines for this.
  • Providers must be available for merchants to deactivate manipulated, lost or stolen terminals.

Your merchants’ duties

  • Before setting up or using a terminal, merchants must inspect it for possible manipulations.
  • Merchants must not use a terminal if they suspect that it has been manipulated or replaced. They must notify their provider immediately, so that the terminal can be deactivated.
  • Merchants must keep their terminals out of reach for unauthorized third parties and lock their terminals away at a secure place (e.g. locked cabinet or room), when they are not in use (e.g. outside of business hours).
  • Merchants must keep written records of all their card terminals and need to regularly compare it to the terminals in their inventory (at least every 6 months). Discrepancies need to be raised with the provider.
  • Merchants must notify their providers immediately about all lost, stolen or manipulated terminals, so that they can be deactivated.
  • Merchants must not modify, manipulate or operate their terminals in any unauthorized manner.

How Payworks is helping you

Payworks is providing you with sample documents and advice on how to best set up your processes. Just contact your Solution Consultant when getting started with Payworks. If there are any questions later, you can also get in touch with our Support team.

Merchant Guidelines

See here.

This document contains a minimum set of guidelines about terminal handling that you need to communicate to your merchant. You can use this as a starting point and adjust the rules so that they fit your processes (as long as they provide at least the same level of security). You should refer to these rules in your terms and conditions.

List of authorized personnel

See here.

A list to document who from your team or fulfillment provider has access to the terminals in your storage.

Terminal inventory statement

See here.

A template for your inventory statement. Use it when conducting your regular inventories.

Storage facilities log

See here.

A document that helps you to log access to the facilities where your terminals are stored.

FAQ

A merchant notifies me about a stolen, lost or manipulated terminal. What do I need to do?

Deactivate the terminal in the Gateway Manager and detach it from the merchant.
Notify Payworks Support. We will remove the terminal from our Gateway.

Does using Payworks product ensures my PCI-compliance status, so I do not have to worry about the security of terminals?

No, Payworks helps its users and their merchants to become more secure and protected while deploying its PCI-DSS and PCI-PIN compliant products, but it does not guarantee their compliance status. In this particular case, Payworks instructs its users/merchants how to handle terminals in a secure, PCI - compliant way providing a transparent documentation, merchant guidelines, and sample documents, while the terminal management remains the responsibility of its users / merchants. In general PCI DSS is intended for all entities involved in payment processing including merchants regardless of their size, however the ultimate decision whether a merchant has to validate its compliance and how - has to be made by the respective payment brand. Payworks encourages its users and merchants to get in touch with their acquirer and PCI assessors regarding this topic.