PCI Watch

Tracking changes across the Payment Card Industry
ℹ️
Reference Content: This is archived content from PCI Security Standards Council bulletins, preserved for tracking changes over time.
View Original →

PCI Security Standards Council Bulletin: Revisions to the Implementation Date for PCI PIN Security Requirement 18-3

PDF











PCI Security Standards Council Bulletin:
Revisions to the Implementation Date for PCI PIN Security Requirement 18-3

17 July 2020

In response to stakeholder feedback about the impact COVID-19 has had on implementations, PCI SSC
is updating the effective dates for key block implementations. These dates are effective immediately and
will be reflected in the PCI PIN Security Requirements and Testing Procedures Version 3.1, due for
release later this year. The new dates are provided in the excerpt below.

18-3 Encrypted symmetric keys must be managed in structures called key blocks. The key usage
must be cryptographically bound to the key using accepted methods.

The phased implementation dates are as follows:
• Phase 1 – Implement Key Blocks for internal connections and key storage within Service
Provider Environments – this would include all applications and databases connected to
hardware security modules (HSM). Effective date: 1 June 2019. (Complete)
• Phase 2 – Implement Key Blocks for external connections to Associations and Networks. New
Effective Date: 1 January 2023 (replaces previous effective date of 1 June 2021).
• Phase 3 – Implement Key Block to extend to all merchant hosts, point-of-sale (POS) devices
and ATMs. New Effective Date: 1 January 2025 (replaces previous effective date of 1 June
2023).

The individual payment card brands manage compliance programs for PCI Security Standards.
Organizations should contact the applicable payment brand(s) directly with any compliance questions.