An Introduction to PIN Encryption

An Introduction to PIN Encryption


What is PIN encryption?

A PIN (Personal Identification Number) is used to verify the identity of your customer during debit, EBT, and beginning January 2018, face-to-face EMV transactions, protecting both you and the cardholder from fraudulent activity. The cardholder enters their PIN into your PIN pad or credit card terminal, and that PIN is then transmitted over the various card issuer networks, confirming the cardholders identity. For security purposes, the PIN is "encrypted" by the PIN pad or terminal before it is transmitted over the networks. Every card network uses their own encryption key (they sometimes have more than one), and that encryption key must be loaded, or "injected," into your PIN pad or terminal before it can successfully transmit PIN data and complete a PIN transaction.

What is encryption key injection?

The process of loading your processing company's encryption key to a PIN pad or credit card terminal is referred to as key injection. The injection process must be performed in a secure ESO facility per PCI security rules. This is not something that you can do yourself, or that can be done via a phone line or Ethernet download.

Do I need to inject an encryption key into my PIN pad or credit card terminal?

Starting in January 2018, MasterCard will begin circulating a new series of cards that begin with the number 2, rather than the usual 5. This new series of cards will require that the cardholder enter a PIN during all face-to-face transactions in order for the transaction to be considered EMV compliant. If your PIN pad or credit card terminal is not injected with your processing companies encryption key, it will not be possible for you customer to enter their PIN. You will still be able to accept the card as payment, but the transaction will not be considered EMV compliant. What does this mean to you? It means if the cardholder decides to dispute the transaction, no matter what their reasoning, and they did not enter their PIN at the point of sale, then you will automatically lose the dispute and your money.

There are only a few cases where encryption key injection is not required: If you hand key all your transactions, or accept payments from cardholders who are not present at the point/ time of sale, then there is no point in injecting an encryption key to your terminal, as the cardholder is not present to insert their chip and enter their PIN.

All PIN pads must be injected with an encryption key in order to accept PIN related transactions (debit, EBT, EMV). If you are using a stand-alone credit card terminal, then it also must be injected with an encryption key in order to accept PIN related transactions. However, if you are using a PIN pad together with a credit card terminal, then it is only necessary for the PIN pad to be injected with your encryption key - you don't need to inject the terminal.

Still have questions? Contact us at 561-899-0515 or sales@americanterminals.com