Implementing Payment Card Industry Security Standards: case PIN Security
Päivinen, Veli-Matti (2022)
2022
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2022120125602
https://urn.fi/URN:NBN:fi:amk-2022120125602
Tiivistelmä
Card payment has become so integrated in our daily lives that it is virtually taken for granted. This thesis takes a closer look in the payment cards, as well as the associated ecosystem and technologies. The thesis also introduces the Payment Card Industry Security Standards Council, which establishes payment standards, as well as two security standards, PCI DSS and PCI PIN.
The background of the thesis emerges from the business needs of the Payment Service Provider (PSP) platform, which was required to start processing customers online verified payment card personal identification numbers (PIN). To begin processing online PINs, the PSP platform must pass the Payment Card Industry PIN Security assessment and acquire the compliance certification. Payment card issuers and banks demand PCI PIN compliance from all entities that process payment card PINs online in order to protect cardholder data from fraud and prevent significant financial losses.
The main focus of this thesis is to research how PCI PIN Security should be implemented in relation to the PSP platform by going through the processes and procedures.
The case study method of research was used in the thesis along with a literature review, document analysis, and interviews with experts in the payment card industry. The research questions the thesis answers are: 1. What is the PCI PIN security assessment scope for PSP platform? 2. How key management dual control and split knowledge is achieved? 3. What are the key management procedures for PSP platform in PCI PIN scope? 4. What are the PIN key management methods for the PSP and how those should be implemented?
A practical outcome of the thesis provides concrete recommendations and procedures for PSP and other environments that are comparable on how to securely manage PIN and related cryptographic keys in order to fulfil PCI PIN Security requirements.
The background of the thesis emerges from the business needs of the Payment Service Provider (PSP) platform, which was required to start processing customers online verified payment card personal identification numbers (PIN). To begin processing online PINs, the PSP platform must pass the Payment Card Industry PIN Security assessment and acquire the compliance certification. Payment card issuers and banks demand PCI PIN compliance from all entities that process payment card PINs online in order to protect cardholder data from fraud and prevent significant financial losses.
The main focus of this thesis is to research how PCI PIN Security should be implemented in relation to the PSP platform by going through the processes and procedures.
The case study method of research was used in the thesis along with a literature review, document analysis, and interviews with experts in the payment card industry. The research questions the thesis answers are: 1. What is the PCI PIN security assessment scope for PSP platform? 2. How key management dual control and split knowledge is achieved? 3. What are the key management procedures for PSP platform in PCI PIN scope? 4. What are the PIN key management methods for the PSP and how those should be implemented?
A practical outcome of the thesis provides concrete recommendations and procedures for PSP and other environments that are comparable on how to securely manage PIN and related cryptographic keys in order to fulfil PCI PIN Security requirements.