PCI Watch

Tracking changes across the Payment Card Industry

Document Comparison

PCI_PTS_POI_VQ_v4.pdf PCI_PTS_POI_VQ_v4-1a_Sept_2015.pdf
88% similar
111 → 126 Pages
16999 → 19064 Words
47 Content Changes

Content Changes

47 content changes. 44 administrative changes (dates, page numbers) hidden.

Added p. 2
June 2015 4.1 Updates for errata and new core section J

September 2015 4.1a Section J updates
Added p. 12
Section A4, continued
Added p. 23
Section B2, continued
Added p. 27
Section B4.2 If the answer to B4.2 in the PCI PTS POI Security Requirements was “YES,” describe:
Added p. 31
Section B7, continued 9 The management of any data used for authentication.
Added p. 35
Section B11, continued 11 What other data are erased?
Added p. 71
2. For remote updates, how the. update mechanism ensures security i.e., integrity, server authentication, and protection against replay, by using an appropriate and declared security protocol
Added p. 98
Section K17, continued 11 Other data that is erased.

Section K17, continued 16 The hashing algorithm(s) that are used.
Added p. 104
Section K22, continued 9 The management of any data used for authentication.
Added p. 107
Section L1 If the answer to L1 in the PCI PTS POI Security Requirements was “YES,” describe:
Added p. 108
Section L2 If the answer to L2 in the PCI PTS POI Security Requirements was “YES,” describe:
Added p. 109
Section L3 If the answer to L3 in the PCI PTS POI Security Requirements was “YES,” describe:
Added p. 110
Section L4 If the answer to L4 in the PCI PTS POI Security Requirements was “YES,” describe:
Added p. 110
How production software (e.g., firmware) is stored during manufacturing.
Added p. 111
Section L5 If the answer to L5 in the PCI PTS POI Security Requirements was “YES,” describe:
Added p. 112
Section L6 If the answer to L6 in the PCI PTS POI Security Requirements was “YES,” describe:
Added p. 113
Section L7 If the answer to L7 in the PCI PTS POI Security Requirements was “YES,” describe:
Added p. 113
2. The process to maintain and development security documentation describing all the physical, procedural, personnel, and other security measures that are necessary to protect the integrity of the design and implementation of the POI security-related components in their development environment.

3. The documented and approved processes that provide evidence that security measures are followed during the development and maintenance of the POI security-related components.

4. What evidence validates that the security measures provide the necessary level of protection to maintain the integrity of the POI security-related components.

Section L8 If the answer to L8 in the PCI PTS POI Security Requirements was “YES,” describe:
Added p. 114
2. The process used for inspection and testing subsequent to repair to ensure that the device has not been subject to unauthorized modification.

3. The process for resetting the tamper mechanisms.
Added p. 115
Note: In the following requirements, the device under evaluation is referred to as the “device.”

Section M1 If the answer to M1 in the PCI PTS POI Security Requirements was “YES,” describe:
Added p. 115
2. The customer documentation that provides instruction on validating the authenticity and integrity of the POI.
Added p. 116
Section M2 If the answer to M2 in the PCI PTS POI Security Requirements was “YES,” describe:
Added p. 117
Section M3 If the answer to M3 in the PCI PTS POI Security Requirements was “YES,” describe:
Added p. 117
Section M4 If the answer to M4 in the PCI PTS POI Security Requirements was “YES,” describe:
Added p. 118
Section M5 If the answer to M5 in the PCI PTS POI Security Requirements was “YES,” describe:
Added p. 118
Section M6 If the answer to M6 in the PCI PTS POI Security Requirements was “YES,” describe:
Added p. 118
Section M7 If the answer to M7 in the PCI PTS POI Security Requirements was “YES,” describe:
Added p. 119
Section M8 If the answer to M8 in the PCI PTS POI Security Requirements was “YES,” describe:
Added p. 119
 Data on production and personalization  Physical/chronological whereabouts  Repair and maintenance  Removal from operation  Loss or theft
Modified p. 1
Payment Card Industry (PCI) PIN Transaction Security (PTS) Point of Interaction (POI) Modular Evaluation Vendor Questionnaire Version 4.0
Payment Card Industry (PCI) PIN Transaction Security (PTS) Point of Interaction (POI) Modular Evaluation Vendor Questionnaire Version 4.1a
Modified p. 2
June 2013 4.0 Initial public release
June 2013 4.0 Public release
Modified p. 8 → 5
Application Version Number:
Application Version Number: (if applicable) Questionnaire completed by:
Modified p. 10 → 7
Section A1 (continued) 10 How the device is constructed, by attaching in Annex B at the end of the Questionnaire an exploded diagram of the device showing how all sub-components are assembled and connected internally.
Section A1, continued 10 How the device is constructed, by attaching in Annex B at the end of the Questionnaire an exploded diagram of the device showing how all sub-components are assembled and connected internally.
Modified p. 11 → 8
Section A1 (continued) 20 How the device is protected from:
Section A1, continued 20 How the device is protected from:
Modified p. 14 → 11
Section A4 (continued) 8 Whether physical protections are used as a protection method (for example when plaintext information exists in external memory.
Section A4, continued 8 Whether physical protections are used as a protection method (for example when plaintext information exists in external memory.
Modified p. 14 → 11
 If a key stream mode of encryption is used (e.g. OFB), how the encryption of different data with the same key is prevented.
 If a key stream mode of encryption is used (e.g., OFB), how the encryption of different data with the same key is prevented.
Modified p. 43 → 42
Section B16 (continued) 7 The key-management, key-distribution and other techniques defined and used for the cryptographic key(s) in question. Describe who/which entity possesses which key(s) and under what circumstances.
Section B16, continued 7 The key-management, key-distribution and other techniques defined and used for the cryptographic key(s) in question. Describe who/which entity possesses which key(s) and under what circumstances.
Modified p. 49
Section D1 (continued) 10 The rationale as to why the ICC reader prevents or otherwise detects the successful implant of a sensitive-data-disclosing bug aiming at capturing offline PIN and IC card information.
Section D1, continued 10 The rationale as to why the ICC reader prevents or otherwise detects the successful implant of a sensitive-data-disclosing bug aiming at capturing offline PIN and IC card information.
Modified p. 69
Section I7 If the answer to I7 in the PCI PTS POI Security Requirements was “YES,” describe:
Section I6 If the answer to I6 in the PCI PTS POI Security Requirements was “YES,” describe:
Modified p. 69
Protocol Name Reference The device’s session-management features to ensure that connections are not left open for longer than necessary.
Protocol Name Reference 2 The device’s session-management features to ensure that connections are not left open for longer than necessary.
Modified p. 75
Section K1.1 (continued) For Magnetic-Stripe Entry 1 The mechanisms used by the device to capture data from magnetic-stripe payment cards, including any necessary APIs.
Section K1.1, continued For Magnetic-Stripe Entry 1 The mechanisms used by the device to capture data from magnetic-stripe payment cards, including any necessary APIs.
Modified p. 76
Section K1.1 (continued) For Manual PAN Key Entry 1 The protections used to prevent penetration of the device for the purpose of determining or modifying account data.
Section K1.1, continued For Manual PAN Key Entry 1 The protections used to prevent penetration of the device for the purpose of determining or modifying account data.
Modified p. 77
Section K1.1 (continued) Tamper-Detection Mechanisms 1 The mechanisms protecting against tampering.
Section K1.1, continued Tamper-Detection Mechanisms 1 The mechanisms protecting against tampering.
Modified p. 91 → 92
The firmware functions provided by the processor on which such non-firmware applications would execute (e.g. PIN processing, cryptographic key operations, prompt control, etc.)
The firmware functions provided by the processor on which such non-firmware applications would execute (e.g., PIN processing, cryptographic key operations, prompt control, etc.)
Modified p. 106 → 121
Device Measurement Maximum for classification as handheld The width at the “5” key 7.62 cm The height at the “5” key The sum of the width and the height at the “5” key The keypad length, from the bottom of the “0” key to the top of the “2” key 10.16 cm The weight of the POI 500grams
Dimension Device Measurement Maximum for classification as handheld The width at the “5” key 7.62 cm The height at the “5” key The sum of the width and the height at the “5” key The keypad length, from the bottom of the “0” key to the top of the “2” key 10.16 cm The weight of the POI 500grams DTR TA8.11 If the device provides a privacy shield, complete the table below with angles of observation to the center of …
Removed p. 107
Processing/ Firmware Element Elements Used to Perform Authentication Algorithms and Key Sizes Used for Firmware Authentication Format of Authentication Process Performed if Authentication
Modified p. 109 → 123
Processing/ Firmware Element Elements Used to Perform Authentication Algorithms and Key Sizes Used for Firmware Authentication Format of Authentication Process Performed if Authentication Use the table below to detail the environmental-protection features implemented by the POI.
Processing/ Elements Used to Perform Authentication Algorithms and Key Sizes Used for Firmware Authentication Format of Authentication Process Performed if Authentication