The PCI Security Standards Council (PCI SSC) and financial services standards outfit the Accredited Standards Committee X9 have decided to combine forces on personal-identification-number-handling-rules.
Today, both have their own standards, which is a pain for organisations like banks that follow rules set by both organisations. The overlapping standards also make life hard for assessors who may consider an organisation's PCI compliance is not in order if they adhere to the X9 rules.
The Register imagines a few readers don't enjoy having to figure out how to get the two standards running alongside each other.
Hence the decision to consolidate the PCI PIN Security Standard and the X9 TR39 PIN Standard.
Source: The Register
(Score: 1) by vali.magni on Saturday February 17 2018, @07:33AM
I work in one of the major players in this industry. Every payment solution we make needs to go through a battery of internal and external testing campaigns and certification to several standards. In addition, the big players like Visa will regularly conduct audits like the Visa TR-39 audit which generates a certificate that says we're good.
Each one of these processes is long, cumbersome, and takes the effort of a lot of people in the company, and we do this if we want to stay in business.
In this specific case, compliance with the PCI-SSC PIN security requirement is mandatory, otherwise we don't get to ship to our customers. Compliance with the ANSI X9 TR39 is also the norm in the industry, however, this publication is a guideline and not a standard. In some ways, it is complementary to the PCI-SSC publication and it made sense to have one single standard, which is what's happening here now.