Document Comparison
PCI_Card_Production_v1.1_Summary_of_Changes_March_2015.pdf
→
PCI_Card_Production_v2.0_Summary_of_Changes.pdf
18% similar
14 → 16
Pages
3287 → 3936
Words
25
Content Changes
Content Changes
25 content changes. 20 administrative changes (dates, page numbers) hidden.
Added
p. 4
Perform cloud-based or secure element (SE) provisioning services; Manage over-the-air (OTA) personalization, lifecycle management, and preparation of personalization data; or Manage associated cryptographic keys.
Requirement General Clarified that the specific applicability of these requirements is up to the individual payment brands; and the payment brand(s) of interest should be contacted for the applicability of these requirements to any card production or provisioning activity.
Requirement 2 Personnel Job and Sensitive Task Allocation Restrictions Stipulated that the vendor is responsible for determining the level of job responsibilities assigned to any temporary or interim staff (including consultants and contractors), except where the job function is restricted to employees.
Additional Guidance Employees: ID Badge or Access Card Specified that the security manager must review audit logs of the ID badge access control system weekly to ensure badge assignments are appropriate.
Note: Sections 2.1.3.3 through 2.1.3.5 moved to new section 3.4.2, Badge Administration Requirement Change in Employee Job State …
Requirement General Clarified that the specific applicability of these requirements is up to the individual payment brands; and the payment brand(s) of interest should be contacted for the applicability of these requirements to any card production or provisioning activity.
Requirement 2 Personnel Job and Sensitive Task Allocation Restrictions Stipulated that the vendor is responsible for determining the level of job responsibilities assigned to any temporary or interim staff (including consultants and contractors), except where the job function is restricted to employees.
Additional Guidance Employees: ID Badge or Access Card Specified that the security manager must review audit logs of the ID badge access control system weekly to ensure badge assignments are appropriate.
Note: Sections 2.1.3.3 through 2.1.3.5 moved to new section 3.4.2, Badge Administration Requirement Change in Employee Job State …
Added
p. 5
The vendor must program the visitor access badge or card to enable the tracking of movement of all visitors. It should be activated only for areas that the visitor is authorized to enter.
Visitors must use their access card in the card readers to the room into which they enter.
Badging to track access must be used wherever feasible. Any un-badged access must be recorded in a log. Logs may be electronic and/or manual.
Requirement 3 Premises Internal Structure and Processes - Security Control Room: Definition Clarified that the CCTV and access control servers must be in the security control room or a room with equivalent security and must not be in the HSA.
Additional Guidance High Security Areas (HSAs): Definition Specified that cloud-based systems must exist in either the server room in the HSA or, if the only activity by the vendor, its own room meeting the criteria stipulated in this HSA section.
Clarified …
Visitors must use their access card in the card readers to the room into which they enter.
Badging to track access must be used wherever feasible. Any un-badged access must be recorded in a log. Logs may be electronic and/or manual.
Requirement 3 Premises Internal Structure and Processes - Security Control Room: Definition Clarified that the CCTV and access control servers must be in the security control room or a room with equivalent security and must not be in the HSA.
Additional Guidance High Security Areas (HSAs): Definition Specified that cloud-based systems must exist in either the server room in the HSA or, if the only activity by the vendor, its own room meeting the criteria stipulated in this HSA section.
Clarified …
Added
p. 6
Systems and applications that make up the cloud-based provisioning network must be physically segregated from other vendor networks and internet-connected networks. This includes separation of servers, firewall, and HSM. For example, in a traditional card vendor environment this could be a separate rack in a server room, or in a provisioning-only entity, housed in a separate room or cage in a data center. It cannot be in the same rack as other servers used for different purposes.
Requirement Stipulate:
The vault must be protected with sufficient number of intruder-detection devices that provide an early attack indication e.g., seismic, vibration/shock, microphonic wire, microphone, etc. on attempts to enter and also provide full coverage of the walls, ceiling, and floor.
The vault must be fitted with a main steel-reinforced door with a dual-locking mechanism (mechanical and/or logical e.g., mechanical combination and biometrics) that requires physical and simultaneous dual-control access.
Unsealed boxes are only permitted for stock …
Requirement Stipulate:
The vault must be protected with sufficient number of intruder-detection devices that provide an early attack indication e.g., seismic, vibration/shock, microphonic wire, microphone, etc. on attempts to enter and also provide full coverage of the walls, ceiling, and floor.
The vault must be fitted with a main steel-reinforced door with a dual-locking mechanism (mechanical and/or logical e.g., mechanical combination and biometrics) that requires physical and simultaneous dual-control access.
Unsealed boxes are only permitted for stock …
Added
p. 7
For generic administrative accounts that cannot be disabled, the password must be used only for emergency. The password must be changed from the default value and managed under dual control.
Requirement Decommissioning Plan New requirement addressing termination of production activities.
Requirement 4 Production Procedures and Audit Trails Personalization Audit Clarification on who may sign off: Name and signature of an individual other than the operator, who is responsible for verifying the count.
Requirement 6 PIN Printing and Packaging of Non-personalized Prepaid Cards 6 Modified: An employee who is involved in PIN printing must not be involved in the card personalization process or the packaging of the card with the PIN process.
Requirement Appendix A Applicability of Requirements New appendix to define which requirements apply to:
Requirement Decommissioning Plan New requirement addressing termination of production activities.
Requirement 4 Production Procedures and Audit Trails Personalization Audit Clarification on who may sign off: Name and signature of an individual other than the operator, who is responsible for verifying the count.
Requirement 6 PIN Printing and Packaging of Non-personalized Prepaid Cards 6 Modified: An employee who is involved in PIN printing must not be involved in the card personalization process or the packaging of the card with the PIN process.
Requirement Appendix A Applicability of Requirements New appendix to define which requirements apply to:
Added
p. 8
• Added glossary definitions for: Cloud-Based Provisioning, COTS, Host Card Emulation, Mobile Provisioning, OTA, OTI, Secure Element, and Segregation of Duties.
• Modified definitions for Armored Vehicle, Card Products, High Security Areas (HSAs).
Perform cloud-based or secure element (SE) provisioning services; Manage over-the-air (OTA) personalization, lifecycle management, and preparation of personalization data; or Manage associated cryptographic keys.
Requirement General Clarified that the specific applicability of these requirements is up to the individual payment brands; and the payment brand(s) of interest should be contacted for the applicability of these requirements to any card production or provisioning activity.
Requirement 2 Roles and Responsibilities Assignment of Security Added requirement that the CISO must identify a security environment Requirement
Requirement 3 Security Policy and Procedures Information Security Clarified that evidence of staff review and acceptance of ISP must be maintained.
Requirement Incident Response Plans and Forensics documented incident response plan for known or suspected compromise of any classified data must …
• Modified definitions for Armored Vehicle, Card Products, High Security Areas (HSAs).
Perform cloud-based or secure element (SE) provisioning services; Manage over-the-air (OTA) personalization, lifecycle management, and preparation of personalization data; or Manage associated cryptographic keys.
Requirement General Clarified that the specific applicability of these requirements is up to the individual payment brands; and the payment brand(s) of interest should be contacted for the applicability of these requirements to any card production or provisioning activity.
Requirement 2 Roles and Responsibilities Assignment of Security Added requirement that the CISO must identify a security environment Requirement
Requirement 3 Security Policy and Procedures Information Security Clarified that evidence of staff review and acceptance of ISP must be maintained.
Requirement Incident Response Plans and Forensics documented incident response plan for known or suspected compromise of any classified data must …
Added
p. 12
Identification of security alerts e.g., subscribing to security alerts such as Microsoft and the Computer Emergency Response Team (CERT) Identification of system component updates that affect the supportability and stability of operating systems, software drivers, and firmware components Inventory of current systems in the environment including information about installed software components and about running services Requirement Remote Access Clarified that this section applies to remote administration by the vendor, and not issuer connections.
Additional Guidance Remote Access: Virtual Private Network (VPN) Added criteria:
For remote access, VPNs must start from the originating device e.g., PC or off-the-shelf device specifically designed for secure remote access and terminate at either the target device or the personalization firewall. If the termination point is the firewall, it must use at least a TLS connection in accordance with PCI Data Security Requirement 4.1 to the target device.
For remote access to DMZ components, the VPN must terminate at …
Additional Guidance Remote Access: Virtual Private Network (VPN) Added criteria:
For remote access, VPNs must start from the originating device e.g., PC or off-the-shelf device specifically designed for secure remote access and terminate at either the target device or the personalization firewall. If the termination point is the firewall, it must use at least a TLS connection in accordance with PCI Data Security Requirement 4.1 to the target device.
For remote access to DMZ components, the VPN must terminate at …
Added
p. 14
Development Specified that the vendor must:
Ensure separation of duties exists between the staff assigned to the development environment and those assigned to the production environment.
Ensure that software source code is restricted to only authorized staff. Staff access of source code must follow a documented process. The authorizations and approvals must be documented.
Requirement Use of Web Services for Issuer Interfaces Added a new section regarding the use of web services for issuer interfaces for cloud-based implementations.
Ensure that procedures are documented and followed by security personnel responsible for granting access Restrict approval and level of access to staff with a documented business need before access is granted. At a minimum, documented approvals must be retained while the account is active.
Ensure that access controls enforce segregation of duties.
For cloud-based provisioning, restrict issuer access and privileges to only t Strictly limit privileged or administrative access and manager and the security manager.
Establish management oversight of …
Ensure separation of duties exists between the staff assigned to the development environment and those assigned to the production environment.
Ensure that software source code is restricted to only authorized staff. Staff access of source code must follow a documented process. The authorizations and approvals must be documented.
Requirement Use of Web Services for Issuer Interfaces Added a new section regarding the use of web services for issuer interfaces for cloud-based implementations.
Ensure that procedures are documented and followed by security personnel responsible for granting access Restrict approval and level of access to staff with a documented business need before access is granted. At a minimum, documented approvals must be retained while the account is active.
Ensure that access controls enforce segregation of duties.
For cloud-based provisioning, restrict issuer access and privileges to only t Strictly limit privileged or administrative access and manager and the security manager.
Establish management oversight of …
Added
p. 15
Requirement 8 Key Management: Secret Data 8.1 General Principles Clarified that where clear key components or shares pass through a computer, the computer must dedicated and be hardened.
Specified that digital certificates used in conjunction with cloud-based provisioning products or services must be issued either from a trusted Certificate Authority (CA) or directly under an issuer or application provider PKI.
Requirement Symmetric Keys Specified that key components for each specific custodian must be stored in a separate, secure container that is accessible only by the custodian and/or designated backup(s).
Requirement 8.3 Asymmetric Keys Clarified that no single person shall be able to access or use all components or a quorum of shares of a single private cryptographic key.
Key Manager Clarified that the key manager must be an employee of the vendor Requirement Key-Management Device PINS Clarified that all equipment associated with key- management activity, such as brass keys and smart cards, must not …
Specified that digital certificates used in conjunction with cloud-based provisioning products or services must be issued either from a trusted Certificate Authority (CA) or directly under an issuer or application provider PKI.
Requirement Symmetric Keys Specified that key components for each specific custodian must be stored in a separate, secure container that is accessible only by the custodian and/or designated backup(s).
Requirement 8.3 Asymmetric Keys Clarified that no single person shall be able to access or use all components or a quorum of shares of a single private cryptographic key.
Key Manager Clarified that the key manager must be an employee of the vendor Requirement Key-Management Device PINS Clarified that all equipment associated with key- management activity, such as brass keys and smart cards, must not …
Added
p. 16
Physical cards SE based provisioning HCE provisioning Additional Guidance Appendix B Topology Section New appendix to illustrate acceptable examples of network topologies Additional Guidance Glossary of Acronyms and Terms Glossary of Acronyms Added glossary definitions for: Cardholder Data, Cloud- Based Provisioning, COTS, Host Card Emulation, Mobile Provisioning, OTA, OTI, Remote Access, Secure Element, Segregation of Duties, Stand-Alone Network, Trusted Certification Authority, and Virtual Private Network.
Modified
p. 1
Payment Card Industry (PCI) Card Production Security Requirements Summary of Changes from PCI Card Production Version 1.0 to 1.1
Payment Card Industry (PCI) Card Production and Provisioning Security Requirements Summary of Changes from PCI Card Production and Provisioning Version 1.1 to 2.0
Removed
p. 4
Requirement 2
• Personnel 2.1.3.3 Identification badges Clarified that access credentials are not restricted to cards.
Requirement 3
• Premises 3.2.1 Emergency Exits Added criteria that emergency exits must not be capable of being opened from outside nor lead to a higher security area.
Requirement Change 3.3.2.2 Location and Security Protection Clarified that person-by-person access may be fulfilled through a procedural control.
Clarified that one-way mirror film or other material is not the only acceptable method to prevent observation of security equipment inside the security control room Additional Guidance 3.3.3 High Security Areas (HSAs) Clarified that equipment that is purely associated with test activities is not allowed in the HSA.
Additional Guidance 3.3.4 HSA
• Security Protection and Access Procedures Rephrased motion-detection activation criteria.
Clarified that medical items such as medications and tissues are allowed if in clear containers that can be examined and that no food or beverages are allowed.
Additional Guidance 3.3.4 HSA
• Security Protection and Access …
• Personnel 2.1.3.3 Identification badges Clarified that access credentials are not restricted to cards.
Requirement 3
• Premises 3.2.1 Emergency Exits Added criteria that emergency exits must not be capable of being opened from outside nor lead to a higher security area.
Requirement Change 3.3.2.2 Location and Security Protection Clarified that person-by-person access may be fulfilled through a procedural control.
Clarified that one-way mirror film or other material is not the only acceptable method to prevent observation of security equipment inside the security control room Additional Guidance 3.3.3 High Security Areas (HSAs) Clarified that equipment that is purely associated with test activities is not allowed in the HSA.
Additional Guidance 3.3.4 HSA
• Security Protection and Access Procedures Rephrased motion-detection activation criteria.
Clarified that medical items such as medications and tissues are allowed if in clear containers that can be examined and that no food or beverages are allowed.
Additional Guidance 3.3.4 HSA
• Security Protection and Access …
Modified
p. 4
Section 2: Summary of Changes Changes to Physical Security Requirements Reference Change Type
Section 2: Summary of Changes Changes to Physical Security Requirements Reference Change to Physical Security Requirements Type General Modified the document title to reflect the change in scope and the addition of requirements to reflect the inclusion of criteria for mobile provisioning. Specifically it includes physical security requirements for vendors that:
Removed
p. 5
Requirement Change 3.3.5.3 Card Product and Component Destruction Room(s) Renamed section.
Clarified that a dedicated room must be used for the destruction of card product and component waste.
Additional Guidance 3.3.5.5 Server Room & Key Management Room Clarified that data preparation must occur here and that server processing and key management may occur in the same room or each in a separate room Additional Guidance 3.3.5.6 Vault Added as an option to the use of reinforced concrete the use of materials that at least meet the Underwriters Laboratories Class I Burglary Certification Standards, which provides for at least 30 minutes of penetration resistance to tool and torch for all perimeter surfaces.
Defined that if the construction of the vault leaves a small (dead) space between the vault and the outside wall, this space must be constantly monitored for intrusion, e.g., motion sensors.
Removed exception for emergency exits and stated that there must be no …
Clarified that a dedicated room must be used for the destruction of card product and component waste.
Additional Guidance 3.3.5.5 Server Room & Key Management Room Clarified that data preparation must occur here and that server processing and key management may occur in the same room or each in a separate room Additional Guidance 3.3.5.6 Vault Added as an option to the use of reinforced concrete the use of materials that at least meet the Underwriters Laboratories Class I Burglary Certification Standards, which provides for at least 30 minutes of penetration resistance to tool and torch for all perimeter surfaces.
Defined that if the construction of the vault leaves a small (dead) space between the vault and the outside wall, this space must be constantly monitored for intrusion, e.g., motion sensors.
Removed exception for emergency exits and stated that there must be no …
Removed
p. 6
Clarified that all boxes with payment cards must be sealed, and a visible label describing the product type, a unique product identifier number, the quantity of cards contained in the box, and the date of control must be attached to the boxes.
Additional Guidance 3.4.4.2 Locks and Keys: Audits and Accountability Clarified that the security manager’s quarterly review applies to keys that allow access to sensitive materials.
Additional Guidance 3.4.5.2 Closed Circuit Television: Monitor, Camera, and Digital Recorder Requirements Added option that motion activated CCTV may be used provided that the recording must capture any motion at least 10 seconds before and after the detected motion.
Requirement Change 3.4.5.4 Retention of Video Recordings Clarified that both primary and backup copies must exist for a minimum of 90 days and that backups may also be stored in other facilities via techniques such as disk mirroring, provided the storage is secure in accordance with these …
Additional Guidance 3.4.4.2 Locks and Keys: Audits and Accountability Clarified that the security manager’s quarterly review applies to keys that allow access to sensitive materials.
Additional Guidance 3.4.5.2 Closed Circuit Television: Monitor, Camera, and Digital Recorder Requirements Added option that motion activated CCTV may be used provided that the recording must capture any motion at least 10 seconds before and after the detected motion.
Requirement Change 3.4.5.4 Retention of Video Recordings Clarified that both primary and backup copies must exist for a minimum of 90 days and that backups may also be stored in other facilities via techniques such as disk mirroring, provided the storage is secure in accordance with these …
Removed
p. 7
State that used tipping foil must be removed from the machine during non-production hours.
State that when destroyed the results must be non- readable and non-recoverable.
Requirement Change 4.8.2 Tipping Foil Clarified that prior to destruction
•e.g., shredding
•the foil must be stored within the HSA under dual access control.
Clarified that the destruction log applies whether reels are partial or full.
Additional Guidance 4.8.3 Indent Printing Module Clarified that requirement applies to payment system proprietary type faces.
Additional Guidance 4.10 Destruction and Audit Procedures Clarified that destruction must be carried out in a separate room as defined in 3.3.5.3.
State that when destroyed the results must be non- readable and non-recoverable.
Requirement Change 4.8.2 Tipping Foil Clarified that prior to destruction
•e.g., shredding
•the foil must be stored within the HSA under dual access control.
Clarified that the destruction log applies whether reels are partial or full.
Additional Guidance 4.8.3 Indent Printing Module Clarified that requirement applies to payment system proprietary type faces.
Additional Guidance 4.10 Destruction and Audit Procedures Clarified that destruction must be carried out in a separate room as defined in 3.3.5.3.
Removed
p. 8
• For transfer to the mail facility, personalized cards can be transported using a company vehicle with the following security controls:
- A GPS tracking device is used and monitored during transport from within the security control room.
- The contents are secured with tamper-evident straps and checked upon delivery.
- The vehicle is loaded using dual control and locked during transport.
- Vehicle drivers do not have a key or access to contents.
- Two persons are in the vehicle equipped with a device to communicate with the security control room.
• Issuer consent must be a letter signed by a corporate officer indicating the destination of the card shipment and acceptance of complete and total liability for any loss, theft, or misplacement of the cards.
• “Personalized bulk cards” includes cards that have been personalized with a cardholder name, generic identifier, or no cardholder identifier.
Additional Guidance 5.4 Delivery Defined that PIN mailers and cards must …
- A GPS tracking device is used and monitored during transport from within the security control room.
- The contents are secured with tamper-evident straps and checked upon delivery.
- The vehicle is loaded using dual control and locked during transport.
- Vehicle drivers do not have a key or access to contents.
- Two persons are in the vehicle equipped with a device to communicate with the security control room.
• Issuer consent must be a letter signed by a corporate officer indicating the destination of the card shipment and acceptance of complete and total liability for any loss, theft, or misplacement of the cards.
• “Personalized bulk cards” includes cards that have been personalized with a cardholder name, generic identifier, or no cardholder identifier.
Additional Guidance 5.4 Delivery Defined that PIN mailers and cards must …
Modified
p. 8 → 7
Requirement 5 • Packaging and Delivery Requirements 5 Packaging and Delivery Requirements Added the following clarifications:
Requirement 5 Packaging and Delivery Requirements 5 Modification of stipulations for courier delivery. Requirement Secure Transport Modifications to criteria for both armored and unarmored vehicles.
Removed
p. 9
Clarified that the vendor is responsible for a manifest for packages sent by courier service that describes the package contents and enables contents verification upon receipt.
Removed
p. 10
Requirement 4
• Data Security 4.8 Data Used for Testing New section to address data and cryptographic keys used for testing vs. production.
Requirement 5
• Network Security 5.1 Typical Vendor Network Defined and illustrated acceptable vendor network designs. Requirement 5.1.3 Card Production DMZ Defined the following:
• This criterion applies to the card production network and it must be segregated from other parts of an organization's network.
• Effective 1 January 2016, the DMZ must be located in the server room of the HSA.
• DMZ infrastructure equipment within the HSA server room must be in a dedicated rack with access restricted to the minimum number of authorized individuals.
• All switches and cabling associated with the DMZ equipment must be stored within the same rack with only the minimum required number of cable connections entering/exiting the rack in order to provide connectivity to firewalls.
Requirement Change 5.2 General Requirements Clarified that controls in place to restrict …
• Data Security 4.8 Data Used for Testing New section to address data and cryptographic keys used for testing vs. production.
Requirement 5
• Network Security 5.1 Typical Vendor Network Defined and illustrated acceptable vendor network designs. Requirement 5.1.3 Card Production DMZ Defined the following:
• This criterion applies to the card production network and it must be segregated from other parts of an organization's network.
• Effective 1 January 2016, the DMZ must be located in the server room of the HSA.
• DMZ infrastructure equipment within the HSA server room must be in a dedicated rack with access restricted to the minimum number of authorized individuals.
• All switches and cabling associated with the DMZ equipment must be stored within the same rack with only the minimum required number of cable connections entering/exiting the rack in order to provide connectivity to firewalls.
Requirement Change 5.2 General Requirements Clarified that controls in place to restrict …
Removed
p. 11
• The vendor must use a wireless intrusion detection system (WIDS) capable of detecting hidden and spoofed networks for all authorized wireless networks.
• When a vendor uses a wireless network, the WIDS must be used to conduct random scans within the HSA at least monthly to detect rogue and hidden wireless networks.
• When a vendor does not use a wireless network, the vendor must still use a scanning device that is capable of detecting rogue and hidden wireless networks. Random scans of the HSA must be conducted at least monthly.
Requirement Change 5.7.3 Additional Requirements for Wi-Fi Standard Clarified that the term MAC previously used in this context = media access control.
Additional Guidance 5.8 Security Testing and Monitoring Defined that both internal and external network vulnerability scans must occur at least quarterly and after any significant change in the network.
Requirement 6
• System Security 6.3 Configuration and Patch Management Changed the implementation …
• When a vendor uses a wireless network, the WIDS must be used to conduct random scans within the HSA at least monthly to detect rogue and hidden wireless networks.
• When a vendor does not use a wireless network, the vendor must still use a scanning device that is capable of detecting rogue and hidden wireless networks. Random scans of the HSA must be conducted at least monthly.
Requirement Change 5.7.3 Additional Requirements for Wi-Fi Standard Clarified that the term MAC previously used in this context = media access control.
Additional Guidance 5.8 Security Testing and Monitoring Defined that both internal and external network vulnerability scans must occur at least quarterly and after any significant change in the network.
Requirement 6
• System Security 6.3 Configuration and Patch Management Changed the implementation …
Modified
p. 11 → 14
Requirement 7 • User Management and System Access Control 7.2.2 Password Control: Characteristics and Usage Clarified that the 90-day maximum for passwords can be less and that the one-day minimum can be longer.
Requirement 7 User Management and System Access Control User Management Specified that the vendor must:
Removed
p. 12
Requirement 8
• Key Management: Secret Data 8.1 General Principles Provided that the vendor must have a written description of the vendor’s cryptographic architecture that details all the keys used by each HSM. The key description must describe the key usage.
Requirement Change 8.1 General Principles Clarified that the principles of split knowledge and dual control apply to activities involving key components and that the only exceptions to these principles involve those keys that are managed as cryptograms or stored within a SCD.
Additional Guidance 8.3 Asymmetric Keys Changed the reference to ISO 16609. Additional Guidance 8.4.2 Key-Management Security Administration: Key Manager Clarified that if the key manager is also a key custodian, other key custodians must not report to the key manager if in conjunction with the key manager who would form a threshold to create a key.
Additional Guidance 8.4.3 Key Custodians Clarified that the roles and responsibilities of key custodians must …
• Key Management: Secret Data 8.1 General Principles Provided that the vendor must have a written description of the vendor’s cryptographic architecture that details all the keys used by each HSM. The key description must describe the key usage.
Requirement Change 8.1 General Principles Clarified that the principles of split knowledge and dual control apply to activities involving key components and that the only exceptions to these principles involve those keys that are managed as cryptograms or stored within a SCD.
Additional Guidance 8.3 Asymmetric Keys Changed the reference to ISO 16609. Additional Guidance 8.4.2 Key-Management Security Administration: Key Manager Clarified that if the key manager is also a key custodian, other key custodians must not report to the key manager if in conjunction with the key manager who would form a threshold to create a key.
Additional Guidance 8.4.3 Key Custodians Clarified that the roles and responsibilities of key custodians must …
Removed
p. 13
Clarified that access logs must include custodian signatures and envelope serial numbers must be logged for both placement into storage and removal.
• Private keys shall be used only to create digital signatures OR to perform decryption operations. Private keys shall never be used to encrypt other keys.
• RSA signature (private) keys must be prohibited from being used for the encryption of either data or another key, and similarly RSA encryption (public) keys must be prohibited from being used to generate signatures.
• Public keys shall be used only to verify digital signature OR perform encryption operations.
• Key-encrypting keys must never be used as working keys (session keys) and vice versa.
Defined that issuer keys must not be used for longer than the issuer-specified expiry date.
State that an inventory of keys under the vendor’s management must be maintained to determine when a key is no longer required.
Define that all derivation keys must be …
• Private keys shall be used only to create digital signatures OR to perform decryption operations. Private keys shall never be used to encrypt other keys.
• RSA signature (private) keys must be prohibited from being used for the encryption of either data or another key, and similarly RSA encryption (public) keys must be prohibited from being used to generate signatures.
• Public keys shall be used only to verify digital signature OR perform encryption operations.
• Key-encrypting keys must never be used as working keys (session keys) and vice versa.
Defined that issuer keys must not be used for longer than the issuer-specified expiry date.
State that an inventory of keys under the vendor’s management must be maintained to determine when a key is no longer required.
Define that all derivation keys must be …
Modified
p. 13 → 15
Additional Guidance 8.9 Key Usage Redefined the requirements to:
Additional Guidance 8.4.2 Key-Management Security Administration:
Removed
p. 14
Clarified that the vendor must remove from operational use all compromised keys within a predefined time frame and provide a means of migrating to new key(s) and where keys are issuer-owned, the issuer must be notified immediately for further instruction.
Requirement 9
• Key Management: Confidential Data 9.1 General Principles Defined that issuer keys must not be used for longer than the issuer-specified expiry date.
Requirement Change Glossary of Acronyms and Terms Glossary of Acronyms and Terms Defined POTS, Application Keys, Authentication Value, Hardware Security Module, Key-Management Device, Local Master Key, Master Derivation Key, Master File Key, Personalization, Personalization Keys, Session Key, Variant of a Key, Working Key.
Requirement 9
• Key Management: Confidential Data 9.1 General Principles Defined that issuer keys must not be used for longer than the issuer-specified expiry date.
Requirement Change Glossary of Acronyms and Terms Glossary of Acronyms and Terms Defined POTS, Application Keys, Authentication Value, Hardware Security Module, Key-Management Device, Local Master Key, Master Derivation Key, Master File Key, Personalization, Personalization Keys, Session Key, Variant of a Key, Working Key.