PCI Watch

Tracking changes across the Payment Card Industry
ℹ️
Reference Content: This is archived content from PCI Security Standards Council bulletins, preserved for tracking changes over time.
View Original →

PCI Security Standards Council Bulletin: Revisions to the Implementation Dates and Scope for PCI PIN Security Requirement 32-9

PDF














PCI Security Standards Council Bulletin: Revisions to the Implementation Dates and Scope for
PCI PIN Security Requirement 32-9

16 November 2020


Based on industry feedback, the PCI SSC is revising the implementation dates and modifying the applicability for PCI PIN
Security Requirements v3.1 Requirement 32-9. These changes are effective immediately and will be reflected in the PCI
PIN Security Requirements and Testing Procedures Version 3.1, due for release later this year.

Requirement 32-9 currently states:

The KIF must implement a physically secure room for key injection where any secret or private keys or their
components/shares appear in memory outside the secure boundary of an SCD during the process of loading/injecting
keys into an SCD.
The secure room for key injection must include the following:
• Effective 1 January 2021, the injection of clear-text secret or private keying material shall not be allowed for entities
engaged in key injection on behalf of others. This applies to new deployments of POI v3 and higher devices.
Subsequent to that date, only encrypted key injection shall be allowed for POI v3 and higher devices.
• Effective 1 January 2023, the same restriction applies to entities engaged in key injection of devices for which they
are the processors.
Note: This does not apply to key components entered into the keypad of a secure cryptographic device, such as a device
approved against the PCI PTS POI Security Requirements. It does apply to all other methods of loading of clear-text
keying material for POI v3 and higher devices.

The implementation dates have been deferred three years and the applicability changed from POI v3 and higher devices
to POI v5 and higher devices as follows:

• Effective 1 January 2024, the injection of clear-text secret or private keying material shall not be allowed for entities
engaged in key injection on behalf of others. This applies to new deployments of POI v5 and higher devices.
Subsequent to that date, only encrypted key injection shall be allowed for POI v5 and higher devices.
• Effective 1 January 2026, the same restriction applies to entities engaged in key injection of devices for which they
are the processors.
Note: This does not apply to key components entered into the keypad of a secure cryptographic device, such as a device
approved against the PCI PTS POI Security Requirements. It does apply to all other methods of loading of clear-text
keying material for POI v5 and higher devices.

The individual Payment Card Brands manage compliance programs for PCI Security Standards. Organizations should
contact them directly with any questions.