Document Comparison
PCI_PIN_v3.1_AOC.pdf
→
PCI_PIN_AOC_v3.2.pdf
81% similar
11 → 12
Pages
2058 → 2314
Words
33
Content Changes
Content Changes
33 content changes. 16 administrative changes (dates, page numbers) hidden.
Added
p. 5
Part 2b. Locations List the types of facilities reviewed as part of the PCI PIN Assessment (for example, data centers, key-injection facilities, certification authority operations, etc.) and applicable details of the locations included in the PCI PIN review (e.g. city, country).
Added
p. 9
Part 3b. Assessed Entity PIN Security Attestation Signature of Executive Officer of Service Provider Service Provider Executive Officer Name:
Part 3d. PCI SSC Acceptance (optional*) * Applicable only if the Service Provider chooses to be listed on the List of PIN Service Providers on the Website.
PCI SSC does not assess or validate PIN Service Providers for compliance with the PIN Security Requirements. The signature below and subsequent listing of PIN Service Provider on the List of PCI PIN Service Providers signifies that the applicable QPA Company has determined that the PIN Service Provider complies with the PIN Security Requirements, that the QPA Company or PIN Service Provider has submitted a corresponding AOC to PCI SSC, and that the AOC, as submitted to PCI SSC, has satisfied all applicable quality review requirements as of the time of PCI SSC's review.
Part 3d. PCI SSC Acceptance (optional*) * Applicable only if the Service Provider chooses to be listed on the List of PIN Service Providers on the Website.
PCI SSC does not assess or validate PIN Service Providers for compliance with the PIN Security Requirements. The signature below and subsequent listing of PIN Service Provider on the List of PCI PIN Service Providers signifies that the applicable QPA Company has determined that the PIN Service Provider complies with the PIN Security Requirements, that the QPA Company or PIN Service Provider has submitted a corresponding AOC to PCI SSC, and that the AOC, as submitted to PCI SSC, has satisfied all applicable quality review requirements as of the time of PCI SSC's review.
Removed
p. 2
Section 1: Assessment Information Instructions for Submission This Attestation of Compliance must be completed as a declaration of the results of the assessment of the subject entity compliance with the Payment Card Industry PIN Security Requirements and Test Procedures (PCI PIN). Complete all sections: The entity is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact the entity requesting the assessment ( e.g. Payment Brand) for reporting and submission procedures.
DBA (doing business as):
DBA (doing business as):
Modified
p. 2 → 4
Part 1. Entity and Qualified PIN Assessor (QPA) Information Part 1a. Entity Organization Information Company Name:
Part 1. Entity and Qualified PIN Assessor (QPA) Information Part 1a. PIN Service Provider Information Company Name:
Modified
p. 2 → 4
State/Province: Country: Postal Code:
State/Province: Country: State/Province:
Modified
p. 3 → 5
PIN Acquirer Payment Processing - POS PIN Acquirer Payment Processing - ATM Remote Key Distribution Using Asymmetric Keys Operations Certification and Registration Authority Operations Key-injection Facilities Others (specify):
☐ PIN Acquirer Payment Processing - POS ☐ PIN Acquirer Payment Processing - ATM ☐ Remote Key Distribution Using Asymmetric Keys - Operations ☐ Certification and Registration Authority Operations ☐ Key-injection Facilities ☐ Others (specify):
Modified
p. 3 → 5
Note: These categories are provided for assistance only, and are not intended to limit or predetermine an entity’s service description. If you feel these categories don’t apply to your service, complete “Others.” If you’re unsure whether a category could apply to your service, consult with the applicable payment brand.
Note: These categories are provided for assistance only, and are not intended to limit or predetermine the list of services that may have been included in the scope of the PCI PIN Assessment. If the PCI PIN Assessment included other services within its scope, or if these categories don’t apply to your service, complete “Others.” If you’re unsure whether a particular service fits within a given category, consult with the applicable payment brand.
Removed
p. 4
Part 2b. Locations List types of facilities (for example, data centers, key-injection facilities, certification authority operations, etc.) and a summary of locations included in the PCI PIN review.
Modified
p. 4 → 5
PIN Acquirer Payment Processing - POS PIN Acquirer Payment Processing - ATM Remote Key Distribution Using Asymmetric Keys - Operations Certification and Registration Authority Operations Key-injection Facilities Other (specify):
☐ PIN Acquirer Payment Processing - POS ☐ PIN Acquirer Payment Processing - ATM ☐ Remote Key Distribution Using Asymmetric Keys - Operations ☐ Certification and Registration Authority Operations ☐ Key-injection Facilities ☐ Other (specify):
Modified
p. 4 → 5
Type of facility assessed: Date of Assessment Location(s) of facility (city, country):
Type of facility assessed: Date of Assessment Location details:
Modified
p. 4 → 6
• The requirement and all sub-requirements of that requirement were assessed, and no sub- requirements were marked as “Not Tested” or “Not Applicable” in the
Full
• The requirement and all sub-requirements of that requirement were assessed, and no sub- requirements were marked as “Not Tested” or “Not Applicable” in the ROC (defined in Section 3 below).
• The requirement and all sub-requirements of that requirement were assessed, and no sub- requirements were marked as “Not Tested” or “Not Applicable” in the ROC (defined in Section 3 below).
Modified
p. 4 → 6
• One or more sub-requirements of that requirement were marked as “Not Tested” or “Not Applicable” in the ROC.
Partial
• One or more sub-requirements of that requirement were marked as “Not Tested” or “Not Applicable” in the ROC.
• One or more sub-requirements of that requirement were marked as “Not Tested” or “Not Applicable” in the ROC.
Modified
p. 4 → 6
• All sub-requirements of that requirement were marked as “Not Tested” and/or “Not Applicable” in the ROC.
None
• All sub-requirements of that requirement were marked as “Not Tested” and/or “Not Applicable” in the ROC.
• All sub-requirements of that requirement were marked as “Not Tested” and/or “Not Applicable” in the ROC.
Modified
p. 4 → 6
For all requirements identified as either “Partial” or “None,” provide details in the “Justification for Approach” column, including:
For each PCI PIN requirement identified as either “Partial” or “None,” provide details in the “Justification for Approach” column, including:
Modified
p. 4 → 6
Details of specific sub-requirements that were marked as either “Not Tested” and/or “Not Applicable” in the ROC Reason that the sub-requirement was not tested or was not applicable
Removed
p. 5
Annex A2
• Control Objective 3 Annex A2
• Control Objective 4:
• Control Objective 3 Annex A2
• Control Objective 4:
Removed
p. 7
Section 2: Report on Compliance This Attestation of Compliance reflects the results of an onsite assessment, which is documented in an accompanying Report on Compliance (ROC).
Have compensating controls been used to meet any requirement in the ROC? Yes No Were any requirements in the ROC identified as being not applicable (N/A)? Yes No Were any requirements not tested? Yes No Were any requirements in the ROC unable to be met due to a legal constraint? Yes No
Section 3: Validation and Attestation Details Part 3. PCI PIN Validation This AOC is based on results noted in the ROC dated (completion date).
Have compensating controls been used to meet any requirement in the ROC? Yes No Were any requirements in the ROC identified as being not applicable (N/A)? Yes No Were any requirements not tested? Yes No Were any requirements in the ROC unable to be met due to a legal constraint? Yes No
Section 3: Validation and Attestation Details Part 3. PCI PIN Validation This AOC is based on results noted in the ROC dated (completion date).
Modified
p. 8 → 9
Based on the results documented in the ROC noted above, the signatories identified in Parts 3b-3c, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document (check one):
Based on the results documented in the ROC, the signatories identified in Parts 3b-3c, as applicable, assert(s) the following compliance status for the Service Provider (check one):
Modified
p. 8 → 9
Compliant: All sections of the PCI PIN ROC are complete, all questions answered affirmatively, resulting in an overall COMPLIANT rating; thereby (Service Provider Company Name) has demonstrated full compliance with the PCI PIN Security Requirements.
☐ Compliant: All sections of the ROC are complete, all questions answered affirmatively, resulting in an overall COMPLIANT rating; thereby (Service Provider Company Name) has demonstrated full compliance with the PCI PIN Security Requirements.
Modified
p. 8 → 9
Non-Compliant: Not all sections of the PCI PIN ROC are complete, or not all questions are answered affirmatively, resulting in an overall NON-COMPLIANT rating, thereby (Service Provider Company Name) has not demonstrated full compliance with the PCI PIN Security Requirements.
☐ Non-Compliant: Not all sections of the ROC are complete, or not all questions are answered affirmatively, resulting in an overall NON-COMPLIANT rating, thereby (Service Provider Company Name) has not demonstrated full compliance with the PCI PIN Security Requirements.
Modified
p. 8 → 9
An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with the payment brand(s) before completing Part 4.
Target Date for Compliance: DD/MMM/YYYY An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with the payment brand(s) before completing Part 4.
Modified
p. 8 → 9
Compliant but with Legal exception: One or more requirements are marked “Not in Place” due to a legal restriction that prevents the requirement from being met. This option requires additional review from acquirer or payment brand.
☐ Compliant but with Legal exception: One or more requirements are marked “Not in Place” due to a legal restriction that prevents the requirement from being met. This option requires additional review from acquirer or payment brand.
Modified
p. 8 → 9
(Check all that apply) The ROC was completed according to the PCI PIN Security Requirements and Testing Procedures, Version (version number), and was completed according to the instructions therein.
(Check all that apply) ☐ The ROC was completed in accordance with the PCI PIN Security Requirements and Testing Procedures, Version (version number) (the “PCI PIN Standard”), and the instructions therein.
Modified
p. 8 → 9
All information within the above-referenced ROC and in this attestation fairly represents the results of my assessment in all material respects.
☐ All information provided in the ROC and in this attestation fairly represents the results of my assessment in all material respects.
Modified
p. 8 → 9
I have read the PCI PIN and I recognize that I must maintain PCI PIN compliance, as applicable to my environment, at all times.
☐ I have read the PCI PIN Standard and I recognize that I must maintain PCI PIN compliance, as applicable to my environment, at all times.
Modified
p. 8 → 9
If my environment changes, I recognize I must reassess my environment and implement any additional PCI PIN requirements that apply.
☐ If my environment changes, I recognize I must reassess my environment and implement any additional PCI PIN requirements that apply.
Modified
p. 9 → 10
Signature of Duly Authorized Officer of QPA Company Date:
Signature of Duly Authorized Officer of QPA Company Date: DD/MMM/YYYY Duly Authorized Officer Name: QPA Company:
Modified
p. 10 → 11
PCI PIN Control Description of Control Compliant to PCI PIN Control Objective (Select One) Remediation Date and Actions (If “NO” selected for any Control Objective YES NO Control Objective 1: PINs used in transactions governed by these requirements are processed using equipment and methodologies that ensure they are kept secure.
PCI PIN Control Objective Description of Control Objective Compliant to PCI PIN Standard Control Objective (Select One) Remediation Date and (If “NO” selected for any Control Objective) YES NO Control Objective 1: PINs used in transactions governed by these requirements are processed using equipment and methodologies that ensure they are kept secure.
Modified
p. 10 → 11
Control Objective 4: Key-loading to HSMs and POI PIN-acceptance devices is handled in a secure manner.
Control Objective 4: Key-loading to HSMs and POI PIN- acceptance devices is handled in a secure manner.
Modified
p. 10 → 11
Key-loading to HSMs and POI PIN-acceptance devices is handled in a secure manner.
Key-loading to HSMs and POI PIN- acceptance devices is handled in a secure manner.
Modified
p. 11 → 12
Key-loading to HSMs and POI PIN-acceptance devices is handled in a secure manner.
Key-loading to HSMs and POI PIN- acceptance devices is handled in a secure manner.
Modified
p. 11 → 12
PCI PIN Control Description of Control Compliant to PCI PIN Control Objective (Select One) Remediation Date and Actions (If “NO” selected for any Control Objective YES NO Annex A2
• Control Objective 4:
• Control Objective 4:
PCI PIN Control Objective Description of Control Objective Compliant to PCI PIN Standard Control Objective (Select One) Remediation Date and (If “NO” selected for any Control Objective) YES NO Annex A2
• Control Objective 4:
• Control Objective 4:
Modified
p. 11 → 12
Annex B
• Control Objective 4 Key-loading to HSMs and POIPIN-acceptance devices is handled in a secure manner.
• Control Objective 4 Key-loading to HSMs and POI
Annex B
• Control Objective 4 Key-loading to HSMs and POI PIN- acceptance devices is handled in a secure manner.
• Control Objective 4 Key-loading to HSMs and POI PIN- acceptance devices is handled in a secure manner.