3.3.1.3 The personal identification number (PIN) and the PIN block are not stored upon completion of the authorization process.

Defined Approach Requirements

3.3.1.3 The personal identification number (PIN) and the PIN block are not stored upon completion of the authorization process.

Customized Approach Objective

This requirement is not eligible for the customized approach.

Applicability Notes

PIN blocks are encrypted during the natural course of transaction processes, but even if an entity encrypts the PIN block again, it is still not allowed to be stored after the completion of the authorization process.

Defined Approach Testing Procedures

3.3.1.3 Examine data sources, to verify that PINs and PIN blocks are not stored upon completion of the authorization process.

Purpose

PIN and PIN blocks should be known only to the card owner or entity that issued the card. If this data is stolen, malicious individuals can execute fraudulent PIN-based transactions (for example, in-store purchases and ATM withdrawals). Not storing this data reduces the probability of it being compromised.

Examples

Data sources to review to ensure that PIN and PIN blocks are not retained upon completion of the authorization process include, but are not limited to:

• Incoming transaction data.
• All logs (for example, transaction, history, debugging, error).
• History files.
• Trace files.
• Database schemas.
• Contents of databases, and on-premise and cloud data stores.
• Any existing memory/crash dump files.