4

Do PCI DSS requirements prevent processors from sending to endusers' mobile phones the PIN? I went through many PCI documents, such as the PCI security requirements 2.0 and this isn't mentioned. I'm not sure this is mentioned somewhere else, but I'd really like to have proof on that.

ximaera
  • 3,395
  • 8
  • 23
devio
  • 143
  • 5
  • 1
    PCI DSS 2.0 is from 2010 and the current version is 3.2 -- although fundamental points like this haven't changed. The PIN (when used at all) is supposed to be known only by, and entered by, the user (cardholder), so what would be the point of sending it _to_ the user? – dave_thompson_085 Nov 30 '17 at 04:35
  • My question is about PIN delivery, not PIN storage. Processors/Issuers send the PIN to end users after the issuance of a new card or after the end user requests that information from their issuer. My question is: instead of PIN mailers, can processors/issuers send the PIN to the end users phones and what do PCI DSS requirements say about that? – devio Nov 30 '17 at 10:19
  • 2
    I've never heard of processors being allowed to send PIN. Issuers (or their contractors) do, yes; I've not worked on issuer side, but I do know there are a whole set of 'Card Production' security requirements that are additional to (but compatible with) DSS, in a separate section of the 'library' on the SSC website; I once glanced at them and they seemed rather more detailed than DSS. – dave_thompson_085 Dec 02 '17 at 05:24

2 Answers2

2

enter image description here

Storing PINs is prohibited under PCI DSS so one can assume transmitting PINs is not compliant.

Mrdeep
  • 546
  • 4
  • 12
  • 2
    That doesn't follow. SAD must not be stored, but it can be transmitted as part of authorization and usually _should_ be included when available/applicable, otherwise it would be useless. But the transmission must be 'strongly' encrypted (per section 4) and the recipient system/device is in scope and must be secure. – dave_thompson_085 Nov 30 '17 at 04:35
  • @dave_thompson_085: my question is more about the PIN delivery. Could you please let me what do PCI DSS requirements say about it and how it can be implemented? – devio Nov 30 '17 at 10:20
  • 1
    Those guidelines don't apply here. PCI DSS Requirement 3.2: *It is permissible for **issuers** and companies that support issuing services to store sensitive authentication data if: a) There is a business justification and b) The data is stored securely*. Sending PIN is PIN issuance. – ximaera Jan 28 '18 at 21:51
1

Assuming your question is about issuers (not processors), payment card PIN issuance is out of scope of PCI DSS requirements, however, card companies impose additional requirements and guidelines for card issuers. E.g. Visa's Issuer PIN Security Guidelines:

Ensure that PINs are protected during processing, transmission and storage by one or more of the following:

  • Provision of physical protection
  • Encryption of the PIN
  • Use of separate HSMs for Issuer vs. Acquirer functionality
  • Use of an encrypted reference or control number to indirectly link the PIN to the PAN when the two items of data must be transmitted separately.
  • Issuers should ensure that their PIN management system prevents the PIN from being stored wherever it is received while under issuer responsibility. PIN mailers, SMS messages and emails are vulnerable and their content should be constructed to meet the PIN Generation, General Guidelines section.

There are different methods of sending a PIN to a user-controlled mobile device (SMS, USSD, mobile apps and so on), and with each method implementation guidelines are different. From your question it is unclear which method exactly bothers you most, but all the requirements are there in the document I've linked to above.

ximaera
  • 3,395
  • 8
  • 23