Payment Card Industry (PCI)

PIN Security Requirements

Attestation of Compliance for

Onsite Assessments
For use with PIN Security Requirements v3.1
Revision 1.0c
February 2023
Section 1: Assessment Information
Instructions for Submission
This Attestation of Compliance must be completed as a declaration of the results of the assessment of
the subject entity compliance with the Payment Card Industry PIN Security Requirements and Test
Procedures (PCI PIN). Complete all sections: The entity is responsible for ensuring that each section is
completed by the relevant parties, as applicable. Contact the entity requesting the assessment ( e.g.
Payment Brand) for reporting and submission procedures.

Part 1. Entity and Qualified PIN Assessor (QPA) Information

Part 1a. Entity Organization Information
Company Name:
DBA Business
(doing business as): Identifier:
Contact Name: Title:
Telephone: E-mail:
Business Address: City:
State/Province: Country: Postal Code:
URL:

Part 1b. Qualified PIN Assessor Company Information (if applicable)

Company Name:
Lead QPA Contact Title:
Name:
Telephone: E-mail:
Business Address: City:
State/Province: Country: Postal Code:
URL:

PCI AOC for Onsite Assessments for use with PCI PIN Security Requirements, v3.1 February 2023
© 2019-2023 PCI Security Standards Council, LLC. All Rights Reserved. Page 1
 Part 2. Executive Summary
Part 2a. Scope Verification
Services that were INCLUDED in the scope of the PCI PIN Assessment (check all that apply):
Type of service(s) assessed:
PIN Acquirer Payment Processing - POS
PIN Acquirer Payment Processing - ATM
Remote Key Distribution Using Asymmetric Keys − Operations
Certification and Registration Authority Operations
Key-injection Facilities
Others (specify):

Note: These categories are provided for assistance only, and are not intended to limit or predetermine an
entity’s service description. If you feel these categories don’t apply to your service, complete “Others.” If
you’re unsure whether a category could apply to your service, consult with the applicable payment brand.

PCI AOC for Onsite Assessments for use with PCI PIN Security Requirements, v3.1 February 2023
© 2019-2023 PCI Security Standards Council, LLC. All Rights Reserved. Page 2
 Part 2a. Scope Verification (continued)
Services that are provided by the entity but were NOT INCLUDED in the scope of the PCI PIN
Assessment (check all that apply):
Type of service(s) not assessed:

PIN Acquirer Payment Processing - POS

PIN Acquirer Payment Processing - ATM
Remote Key Distribution Using Asymmetric Keys - Operations
Certification and Registration Authority Operations
Key-injection Facilities
Other (specify):

Provide a brief explanation why any checked services

were not included in the assessment:

Part 2b. Locations

List types of facilities (for example, data centers, key-injection facilities, certification authority operations,
etc.) and a summary of locations included in the PCI PIN review.
Type of facility assessed: Date of Assessment Location(s) of facility (city, country):
Example: Data Center 18-20 June, 2019 Boston, MA, USA

Part 2c. Summary of Requirements Tested

For each PCI PIN Requirement, select one of the following:
• Full – The requirement and all sub-requirements of that requirement were assessed, and no sub-
requirements were marked as “Not Tested” or “Not Applicable” in the ROC.
• Partial – One or more sub-requirements of that requirement were marked as “Not Tested” or “Not
Applicable” in the ROC.
• None – All sub-requirements of that requirement were marked as “Not Tested” and/or “Not Applicable”
in the ROC.
For all requirements identified as either “Partial” or “None,” provide details in the “Justification for Approach”
column, including:
• Details of specific sub-requirements that were marked as either “Not Tested” and/or “Not Applicable” in
the ROC
• Reason why sub-requirement(s) were not tested or not applicable

PCI AOC for Onsite Assessments for use with PCI PIN Security Requirements, v3.1 February 2023
© 2019-2023 PCI Security Standards Council, LLC. All Rights Reserved. Page 3
 Note: One table to be completed for each service covered by this AOC. Additional copies of this section are
available on the PCI SSC website.

Part 2c. Summary of Requirements Tested (continued)

Details of Control Objectives Assessed
Justification for Approach
PCI PIN Control (Required for all “Partial” and “None” responses. Identify which
Objective Full Partial None sub-requirements were not tested and the reason.)

Control Objective 1:

Control Objective 2:

Control Objective 3:

Control Objective 4:

Control Objective 5:

Control Objective 6:

Control Objective 7:

Annex A1 –
Control Objective 3:

Annex A1 –
Control Objective 4:

Annex A1 –
Control Objective 5:

Annex A1 –
Control Objective 6:

Annex A2 –
Control Objective 3

Annex A2 –
Control Objective 4:

Annex A2 –
Control Objective 5:

Annex A2 –
Control Objective 6:

Annex A2 –
Control Objective 7:

Annex B –
Control Objective 1:

PCI AOC for Onsite Assessments for use with PCI PIN Security Requirements, v3.1 February 2023
© 2019-2023 PCI Security Standards Council, LLC. All Rights Reserved. Page 4
 Part 2c. Summary of Requirements Tested (continued)
Details of Control Objectives Assessed
Justification for Approach
PCI PIN Control (Required for all “Partial” and “None” responses. Identify which
Objective Full Partial None sub-requirements were not tested and the reason.)

Annex B –
Control Objective 2:

Annex B –
Control Objective 3:

Annex B –
Control Objective 4:

Annex B –
Control Objective 5:

Annex B –
Control Objective 6:

Annex B –
Control Objective 7:

PCI AOC for Onsite Assessments for use with PCI PIN Security Requirements, v3.1 February 2023
© 2019-2023 PCI Security Standards Council, LLC. All Rights Reserved. Page 5
Section 2: Report on Compliance

This Attestation of Compliance reflects the results of an onsite assessment, which is documented in an
accompanying Report on Compliance (ROC).

The assessment documented in this attestation and in the ROC was

completed on:
Have compensating controls been used to meet any requirement in the ROC? Yes No

Were any requirements in the ROC identified as being not applicable (N/A)? Yes No

Were any requirements not tested? Yes No

Were any requirements in the ROC unable to be met due to a legal constraint? Yes No

PCI AOC for Onsite Assessments for use with PCI PIN Security Requirements, v3.1 February 2023
© 2019-2023 PCI Security Standards Council, LLC. All Rights Reserved. Page 6
Section 3: Validation and Attestation Details

Part 3. PCI PIN Validation

This AOC is based on results noted in the ROC dated (completion date).
Based on the results documented in the ROC noted above, the signatories identified in Parts 3b-3c, as
applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document
(check one):

Compliant: All sections of the PCI PIN ROC are complete, all questions answered affirmatively,
resulting in an overall COMPLIANT rating; thereby (Service Provider Company Name) has
demonstrated full compliance with the PCI PIN Security Requirements.

Non-Compliant: Not all sections of the PCI PIN ROC are complete, or not all questions are answered
affirmatively, resulting in an overall NON-COMPLIANT rating, thereby (Service Provider Company
Name) has not demonstrated full compliance with the PCI PIN Security Requirements.
Target Date for Compliance:
An entity submitting this form with a status of Non-Compliant may be required to complete the Action
Plan in Part 4 of this document. Check with the payment brand(s) before completing Part 4.

Compliant but with Legal exception: One or more requirements are marked “Not in Place” due to a
legal restriction that prevents the requirement from being met. This option requires additional review
from acquirer or payment brand.
If checked, complete the following:

Affected Requirement Details of how legal constraint prevents requirement being met

Part 3a. Acknowledgement of Status

Signatory(s) confirms:
(Check all that apply)

The ROC was completed according to the PCI PIN Security Requirements and Testing Procedures,
Version (version number), and was completed according to the instructions therein.
All information within the above-referenced ROC and in this attestation fairly represents the results of
my assessment in all material respects.
I have read the PCI PIN and I recognize that I must maintain PCI PIN compliance, as applicable to my
environment, at all times.
If my environment changes, I recognize I must reassess my environment and implement any
additional PCI PIN requirements that apply.

PCI AOC for Onsite Assessments for use with PCI PIN Security Requirements, v3.1 February 2023
© 2019-2023 PCI Security Standards Council, LLC. All Rights Reserved. Page 7
 Part 3b. Assessed Entity PIN Security Attestation

Signature of Executive Officer of Assessed Entity

Assessed Entity Executive Officer Name:
Title:
Date:

Part 3c. Qualified PIN Assessor (QPA) Company Acknowledgement

Describe the role performed by the QPA and
others that participated from within the QPA
Company:

Signature of Duly Authorized Officer of QPA Company  Date:

Duly Authorized Officer Name: QPA Company:

PCI AOC for Onsite Assessments for use with PCI PIN Security Requirements, v3.1 February 2023
© 2019-2023 PCI Security Standards Council, LLC. All Rights Reserved. Page 8
 Part 4. Action Plan for Non-Compliant Requirements
Select the appropriate response for “Compliant to PCI PIN” for each requirement. If you answer “No” to any
of the requirements, you may be required to provide the date your Company expects to be compliant with
the requirement and a brief description of the actions being taken to meet the requirement.
Check with the applicable payment brand(s) before completing Part 4.

Compliant to PCI PIN Remediation Date and

PCI PIN Control Description of Control Control Objective Actions
Objective Objective (Select One) (If “NO” selected for any
YES NO Control Objective

Control Objective 1: PINs used in transactions

governed by these requirements
are processed using equipment
and methodologies that ensure
they are kept secure.

Control Objective 2: Cryptographic keys used for PIN

encryption/decryption and related
key management are created
using processes that ensure that it
is not possible to predict any key
or determine that certain keys are
more probable than other keys.

Control Objective 3: Keys are conveyed or transmitted

in a secure manner.

Control Objective 4: Key-loading to HSMs and POI

PIN-acceptance devices is
handled in a secure manner.

Control Objective 5: Keys are used in a manner that

prevents or detects their
unauthorized usage.

Control Objective 6: Keys are administered in a secure

manner.

Control Objective 7: Equipment used to process PINs

and keys is managed in a secure
manner.

Annex A1 – Keys are conveyed or transmitted

Control Objective 3: in a secure manner.

Annex A1 – Key-loading to HSMs and POI

Control Objective 4: PIN-acceptance devices is
handled in a secure manner.

Annex A1 – Keys are used in a manner that

Control Objective 5: prevents or detects their
unauthorized usage.

Annex A1 – Keys are administered in a secure

Control Objective 6: manner.

Annex A2 – Keys are conveyed or transmitted

Control Objective 3 in a secure manner.

PCI AOC for Onsite Assessments for use with PCI PIN Security Requirements, v3.1 February 2023
© 2019-2023 PCI Security Standards Council, LLC. All Rights Reserved. Page 9
 Compliant to PCI PIN Remediation Date and
PCI PIN Control Description of Control Control Objective Actions
Objective Objective (Select One) (If “NO” selected for any
YES NO Control Objective

Annex A2 – Key-loading to HSMs and POI

Control Objective 4: PIN-acceptance devices is
handled in a secure manner.

Annex A2 – Keys are used in a manner that

Control Objective 5: prevents or detects their
unauthorized usage.

Annex A2 – Keys are administered in a secure

Control Objective 6: manner.

Annex A2 – Equipment used to process PINs

Control Objective 7: and keys is managed in a secure
manner.

Annex B – PINs used in transactions

Control Objective 1: governed by these requirements
are processed using equipment
and methodologies that ensure
they are kept secure.

Annex B – Cryptographic keys used for PIN

Control Objective 2: encryption/decryption and related
key management are created
using processes that ensure that it
is not possible to predict any key
or determine that certain keys are
more probable than other keys.

Annex B – Keys are conveyed or transmitted

Control Objective 3: in a secure manner.

Annex B – Key-loading to HSMs and POI

Control Objective 4 PIN-acceptance devices is
handled in a secure manner.

Annex B – Keys are used in a manner that

Control Objective 5: prevents or detects their
unauthorized usage.

Annex B – Keys are administered in a secure

Control Objective 6: manner.

Annex B – Equipment used to process PINs

Control Objective 7: and keys is managed in a secure
manner.

PCI AOC for Onsite Assessments for use with PCI PIN Security Requirements, v3.1 February 2023
© 2019-2023 PCI Security Standards Council, LLC. All Rights Reserved. Page 10