In December 2014, PCI PIN issued a mandate calling for a new PIN Key Block TR-31 Encryption. This is an advanced encryption method used to secure a cardholder's PIN. This mandate was broken into three phases. The first two have passed and dealt with this new encryption internally (Phase 1) and communications within the networks, issuers, processors, and acquirers (Phase 2). Phase 3 extends this requirement to all merchant hosts, POS devices and ATMs. Phase 3 becomes effective 1 January 2025
PCI PIN's Phase 3 requirement noted above stipulates that processors and acquirers (i.e., Switch Commerce) must be able to accept TR-31 PIN Block Encrypted messages from ATMs and POS devices by 1 January 2025. It does not state that processors and acquirers cannot accept the current encryption format post 1 January 2025. If a terminal sends the current encryption format, the transactions will still be processed as normal post 1 January 2025. Terminals will not go dark. However:
- PCI PIN will mandate at some point that the current encryption format will no longer be allowed. It is unknown at this time when that will be, but it will be coming.
- Suppose a terminal is attacked (i.e., hack, man in the middle, etc.), and it is determined that by utilizing the TR-31 PCI PIN Encryption, the attack would not have allowed access to the PIN. Like EMV, the liability will most likely fall to the terminal being the weakest link, but to the tune of several hundred transactions versus a few chargebacks.
Therefore, it is in your best interest and safeguards to pursue upgrading your PIN Pads and software levels to support TR-31 PCI PIN Encryption on all of your terminals as soon as possible, not waiting for the next PCI PIN date to be published. It isn't a matter of If, but When.
Attached is a list of the Manufacturers and the software requirements that are needed to support TR-31.
Comments
0 comments
Article is closed for comments.