Businesses & retailers

• About Visa
• Businesses
• Retailers and merchants
• Merchant Agents
• Payment security
  • Overview
  • Merchants
  • Service providers
  • Payment applications
  • PIN security
  • Downloads & resources

PIN security

The Visa PIN Security Programme is a global programme designed to ensure all participants in the acquiring transaction processing chain maintain the highest level of Personal Identification Number (PIN) security.

The confidentiality of cardholder PINs used in Visa transactions depends on all payment system participants complying with the following applicable requirements:

• Payment Card Industry PCI PIN Security Requirements
• PCI PIN-Entry Device Security Requirements
• PCI Encrypting PIN Pad Security Requirements
• PCI Point of Interaction Requirements
• Visa Requirements.

These requirements are designed to ensure the secure transmission of cardholder PINs from the point of entry. The PCI PIN Security Requirements complement the PCI Data Security Standards (DSS) for entities that accept or process Visa PIN-verified transactions. PIN-accepting entities must be fully compliant with the PCI PIN and PIN Transaction Security (PTS) Requirements.

How the programme works

Card issuers rely on acquiring banks and processors to ensure cardholder PINs are handled securely during processing. As a consequence, all acquiring banks, their processing agents and any other third parties involved in the processing of Visa PIN-based transactions and the associated cryptographic keys must participate in the programme. (These participants are referred to as entities in the below.)

Every three years, entities must complete and return a Self Audit Form (SA). The Self Audit includes a range of questions and, each time an entity answers ‘no’ or ‘not applicable’, an Exception Form must be completed giving details of why the entity is not compliant, what plans are in place to correct this and the planned completion date.

The SA, Exception Forms and a Self Audit Compliance Statement must be returned to Visa 45 days before a live date (for new entities) or by the due date (for existing entities). All new entities must be fully compliant before going live. For each year in between the three-yearly Self Audit, entities must complete an Annual Certification Statement to verify the continuing validity of the information in the SA.

More information

For more information on the PIN Security Programme please contact Visa at visaeuropepin@visa.com or visit www.visa.com/pinsecurity