Expert Payments Security and Encryption Consulting

PCI PIN Requirement 18-3, Key Blocks Implementation “Phase 1,”  is effective JUNE 1st.  Are you ready?

Most organizations in the payments industry are are aware that the latest requirements for Key Blocks in PCI PIN 3.0 have been broken into three phases, each with its own effective date. This allows organizations to focus their resources to address implementation tasks specific to their environment and support a smooth migration across the payments network.  However now is the time to take action, as implementing key blocks will take extensive project coordination and sizable work from development teams.

Phase 1: Effective June 2019: Implement key blocks for internal connections and key storage within service provider environments; this would include all applications and databases connected to hardware security modules (HSMs).

  • All entries with SCDs must utilize Key Blocks for storage within their environments, i.e., BDK, KEK, ZMK – this includes all applications and databases connected to Hardware Security Modules (HSMs) on or before, June 2019.

June 1st is only a few weeks away.  Do not allow your organization to become non-compliant, or risk possible fines. Reach out to GEM SECURITY SOLUTIONS now to discuss implementation of Phase 1.

The other two Phases of 18-3 requirements are as follows:

  • Phase 2: Effective 1st June 2021: Implement key blocks for external connections to associations and networks.
  • Phase 3: Effective 1st June 2023: Implement key blocks to extend to all merchant hosts, POS devices and ATMs.

Organizations should use their cryptographic-key summary to identify secret keys conveyed or stored, and examine documented procedures. In addition, they should observe key operations to verify that secret cryptographic keys are managed as key blocks using mechanisms that cryptographically bind the key usage to the key at all times via one of the acceptable methods or an equivalent.

Where key blocks are not implemented, organizations should identify and examine project plans to implement in accordance with the prescribed timeline.

Very Important Note: Sunset Dates have been added in PCI PIN 3.0 for allowed injection of clear-text secret or private keying material as follows:

  • Effective 1 January 2021, the injection of clear-text secret or private keying material shall not be allowed for entities engaged in key injection on behalf of others. Only encrypted key injection shall be allowed for POI v3 and higher devices.
  • Effective 1 January 2023,the same restriction applies to entities engaged in key injection of devices for which they are the processors.

GEM SECURITY SOLUTIONS can assist your organization in becoming compliant under the new PCI PIN 3.0 requirements.

For consulting services to ensure your business is compliant contact us at:


Leave a Reply