- Create management procedures
PCI PIN Security requirements are organized into seven related groups, referred to as “Control Objectives.”. Each control objectives require management of security policy and procedures, including Point of Interaction (POI) management procedures which cover ATM, POS Terminal management, HSM management procedures, and the most important part, Key Management related procedures, including key generation, distribution, rotation, revocation, destruction, key exchange with other organizations management procedures, usages of PIN Blocks and Key Blocks, and appliance physical security.
- Inventory of Devices, Key, and Exchange Organizations
PIN Security relevant devices should include POI (ATM, POS) devices, HSM Keys, Encryption Devices, Key Loading Devices, Servers, and according to Host Software should be inventoried and managed. Due to high volumes of POI, loading key onto devices requires a strict and precise management process to manage organization internal usages of keys, HSM, participants of transactions, key exchange organizations, and at last inventory management of out-sourcing service providers.
- Operation supervision and management
All devices of POI (ATM, POS), HSM, Servers, usages of Key Loading Devices, records, and inspection management, must follow operation guideline procedures and keep decent logging. Key exchanges, Key Loading, and Generations must follow required Dual Control, Split Knowledge, and Monitoring. Having records logging with monitoring and reviews.