Payment firms that are used to choosing which PIN standard to audit against now have a much simpler choice. The Accredited Standards Committee X9 Inc. and the PCI Security Standards Council have created a unified PIN Security Standard, replacing separate ones each organization previously maintained.
The consolidation, announced Tuesday, should make it much easier for organizations, eliminating any issues about which one to choose and the extra expense involved in choosing to use both.
“For a long time, the industry had two controlling documents used by network auditors to determine if a network or company was compliant with security requirements for certain credit card data,” Steve Stevens, X9 executive director, says in an email to Digital Transactions News.
“X9 provided one document and PCI provided the other,” Stevens says. “Each had certain strengths. In the beginning, a company could select either document for the audit. This caused some confusion as to which to select. Some companies decided to use both, which led to higher cost but greater information from the audit.”
Work on the consolidated standard began in 2018 with committees from each organization involved. Their efforts produced version 3.0 of the PIN Security-Requirements and Testing Procedures standard, which is available on the PCI Council’s Web site. The former X9 standard is now out of date, X9 says.
“In the end, X9 and PCI decided the industry would be better served to take the best from both documents and combine them into one,” Stevens says.
The new PIN standard is a win for the industry, says Troy Leach, PCI Council senior vice president, because “…we now have greater clarity and consensus around a single PIN standard.”