# Assessment Scope The first step in planning any assessment is documenting the scope. For PCI PIN, the scope is systems and processes that protect PINs, including protection of the cryptographic keys and devices that protect them - payment terminals, also called points-of-interaction (POI), HSMs, and other secure cryptographic devices (SCD). We will not address requirements where you retain full responsibility because these address areas outside of the scope of the service. For example, configuration and provisioning of payment terminals. Refer to the AWS Payment Cryptography Shared Responsibility Guide for PCI PIN, available on AWS Artifact **Topics** + [ # Shared Responsibility ](pin-compliance-scope-sr.md) + [ # High-Level Network Diagrams ](pin-compliance-scope-diagram.md) + [ # Key Table ](pin-compliance-scope-kt.md) + [ # Document References ](pin-compliance-scope-dr.md) # Shared Responsibility AWS Payment Cryptography is an Encryption and Support Organization (ESO) and a PIN-Acquiring Third-Party Servicer (TPS), as defined by the [ Visa PIN Security Program](https://usa.visa.com/splisting/splistinglearnmore.html#vpsp) and listed on the Visa Global Service Provider Registry, under “Amazon Web Services, LLC”. This means that the service is allowed by Visa to be used by PIN-Acquiring Third-Party VisaNet Processor (VNP), PIN-Acquiring Client VisaNet Processor Acting as a Service Provider, and other TPS and ESO providers without requiring further assessment by customer PIN assessors (PCI Qualified PIN Assessors or PCI QPA). Other card brands or payment network providers may rely on the Visa PIN Security Program or have their own programs. Contact AWS Support for questions about service compliance for other payment network programs. AWS provides the PCI PIN Security attestation of compliance (AOC) and Shared Responsibility Guide for AWS Payment Cryptography in AWS Artifact. Use of service providers in PIN processing has be common for many years, however, the PCI PIN Security Standard, up through version 3.1, does not address third party service provider management. Neither does the Visa PIN Security Program. Customer QPA have followed the model established with the PCI DSS AOC and Shared Responsibility Guide of referring to AWS’ compliance as successful the test for applicable requirements. # High-Level Network Diagrams The PCI PIN Reporting Template requires, “For entities engaged in the processing of PIN based transaction provide a network schematic describing PIN based transaction flows with the associated key type usage. Additionally, KIFs and entities engaged in remote key distribution using asymmetric techniques should provide keying material flows“ AWS Payment Cryptography has reported the internal service structure for our PCI PIN assessment. Your diagrams will illustrate calling the service APIs for PIN processing. Example high level network diagram for a PIN applications using AWS Payment Cryptography: ![\[Example high level network diagram for a PIN applications using AWS Payment Cryptography\]](http://docs.aws.amazon.com/payment-cryptography/latest/userguide/images/high-level-network-example.png) # Key Table The report requires that all keys protecting PINs, directly or indirectly, are listed. Any keys that exist in the service can be listed with the [ListKeysAPI ](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ListKeys). Be sure to provide the key list for all regions and accounts that own keys for your application. # Document References Vendor documentation and recommendations for secure use of AWS Payment Cryptography is in the [User’s Guide](https://docs.aws.amazon.com/payment-cryptography/latest/userguide/) and [API Reference](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/Welcome.html). These are linked, as appropriate, in this guidance.