While a clear consensus has been established that passwords are a terrible security solution, X9 and the PCI council have published a new PIN standard. While we haven’t yet read the 233 page “Payment Card Industry (PCI) PIN Security” paper, it appears to be out of synch with the overall market effort to move away from using “what you know” identity solutions.
Here’s an excerpt from a PaymentsSource article which covers the topic further:
“Seeking to clarify how merchants and banks should handle PIN debit transactions, the Accredited Standards Committee X9 and PCI Security Standards Council have created a unified standard.
Since 2018, X9 and the PCI council have been partners in combining technical reports, requirements and testing procedures to begin a joint initiative that would eliminate the need for separate standards and processes related to accepting PIN transactions and keeping PINs safe.
Ultimately, the security organizations worked to merge their processes into one document, which has become version 3.0 of the PCI council’s PIN Security requirements and testing standard.
With much of the X9 standard becoming outdated during the process, X9 approved its withdrawal from the publication to establish a new, unified single standard. X9 will continue to partner with the PCI council on future versions of the standard.
The organizations said they reached their goal to create a single PIN security standard and assessor qualification program that PCI SSC would manage.”
With the amount of information available on the dark web, combined with the bad habit people have of re-using the same PIN and password for multiple sites, has made out of wallet questions, passwords, and PINs problematic.
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group