Document Comparison
PCI_PTS_POI_SRs_v5-1.pdf
→
PCI_PTS_POI_SRs_v6.pdf
67% similar
62 → 55
Pages
17174 → 16023
Words
121
Content Changes
Content Changes
121 content changes. 82 administrative changes (dates, page numbers) hidden.
Added
p. 2
August 2019 6.x Created new module structure
Added
p. 4
• Encrypting PIN pads (EPPs) that require integration into POS terminals or ATMs.
Appendix B, “Applicability of Requirements,” details which requirements apply based upon functionality.
• The restructuring of the modules into:
• Communications and Interfaces
• Domain-Based Asset Flow Analysis
• Evaluation Guidance for CPUs
• The migration of technical FAQs into either the Derived Test Requirements or the Device Testing and Approval Program Guide.
• Restructured modules into Physical, Logical, Communications and Interfaces, and Life Cycle while retaining the Integration Module.
• POI v6 firmware expires three years from the date of approval but shall not expire past the overall approval expiration of the device.
• POI v6 chipsets must provide support for ECC.
• Eliminated Removal Detection Requirements.
• Split requirement A1 into two separate requirements: 1) Tamper Detection Mechanisms 2) Protection of Sensitive Keypad Inputs.
• Split requirement A6 into two separate requirements: 1) Invasive Attacks for Cryptographic Keys 2) Non-invasive Attacks for Cryptographic Keys.
• Allow the inclusion …
Appendix B, “Applicability of Requirements,” details which requirements apply based upon functionality.
• The restructuring of the modules into:
• Communications and Interfaces
• Domain-Based Asset Flow Analysis
• Evaluation Guidance for CPUs
• The migration of technical FAQs into either the Derived Test Requirements or the Device Testing and Approval Program Guide.
• Restructured modules into Physical, Logical, Communications and Interfaces, and Life Cycle while retaining the Integration Module.
• POI v6 firmware expires three years from the date of approval but shall not expire past the overall approval expiration of the device.
• POI v6 chipsets must provide support for ECC.
• Eliminated Removal Detection Requirements.
• Split requirement A1 into two separate requirements: 1) Tamper Detection Mechanisms 2) Protection of Sensitive Keypad Inputs.
• Split requirement A6 into two separate requirements: 1) Invasive Attacks for Cryptographic Keys 2) Non-invasive Attacks for Cryptographic Keys.
• Allow the inclusion …
Added
p. 10
Yes No N/A Integration Communications and Interfaces Life Cycle Always Applicable:
Added
p. 15
3: Communications and Interfaces All Protocols and all interfaces on the device A set of requirements that ensures POI devices using communication protocols and interfaces are secure, including determination that those using open security protocols and open communication protocols to access public networks and services do not have public domain vulnerabilities.
An “N/A” response to a requirement is acceptable in two cases:
First, if compliance is achieved by meeting another requirement option, if one exists.
Second, if the characteristics governed by the requirement are absent in the device. The evaluation laboratory will verify that all responses are appropriate.
A2 There is no demonstrable way to disable or defeat the tamper mechanism/s and insert a sensitive key-press-disclosing bug.
Keypads used for PIN entry require an attack potential of at least 26 per device for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader, as defined in Appendix B.
Keypads …
An “N/A” response to a requirement is acceptable in two cases:
First, if compliance is achieved by meeting another requirement option, if one exists.
Second, if the characteristics governed by the requirement are absent in the device. The evaluation laboratory will verify that all responses are appropriate.
A2 There is no demonstrable way to disable or defeat the tamper mechanism/s and insert a sensitive key-press-disclosing bug.
Keypads used for PIN entry require an attack potential of at least 26 per device for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader, as defined in Appendix B.
Keypads …
Added
p. 18
A11 All account data is either encrypted immediately upon entry or entered in clear text into a secure device and processed within the secure controller of the device.
A12 The logical and physical integration of an approved secure card reader into a PIN entry POI terminal does not create new attack paths to the account data. The account data is protected from the input component to the secure controller of the device•i.e., it is not possible to insert a bug that would disclose sensitive data.
SCRPs shall require an attack potential of at least 26 for identification and initial exploitation, with a minimum of 13 for exploitation.D A14 The opening for the insertion of the IC card is in full view of the cardholder during card insertion so that any untoward obstructions or suspicious objects at the opening are detectable.
The update mechanism ensures security⎯i.e., integrity, mutual authentication, and protection against replay⎯by using …
A12 The logical and physical integration of an approved secure card reader into a PIN entry POI terminal does not create new attack paths to the account data. The account data is protected from the input component to the secure controller of the device•i.e., it is not possible to insert a bug that would disclose sensitive data.
SCRPs shall require an attack potential of at least 26 for identification and initial exploitation, with a minimum of 13 for exploitation.D A14 The opening for the insertion of the IC card is in full view of the cardholder during card insertion so that any untoward obstructions or suspicious objects at the opening are detectable.
The update mechanism ensures security⎯i.e., integrity, mutual authentication, and protection against replay⎯by using …
Added
p. 21
B16.1 If the device supports software with lesser security requirements or that is not developed by the vendor⎯e.g., applications⎯it must enforce segregation at least between different software security domains.
B16.2 The vendor must provide clear security guidance consistent with D1 and B4 to all application developers to ensure:
B21 PIN protection during transmission between the device encrypting the PIN and the ICC reader (at least two must apply):
B22 If the device can be accessed remotely for the purposes of administration, all access attempts must be cryptographically authenticated. If the authenticity of the access request cannot be confirmed, the access request is denied.
B16.2 The vendor must provide clear security guidance consistent with D1 and B4 to all application developers to ensure:
B21 PIN protection during transmission between the device encrypting the PIN and the ICC reader (at least two must apply):
B22 If the device can be accessed remotely for the purposes of administration, all access attempts must be cryptographically authenticated. If the authenticity of the access request cannot be confirmed, the access request is denied.
Added
p. 23
B23.1 When operating in encrypting mode, the secure controller can only release clear-text account data to authenticated applications executing within the device.
If the device is capable of generating surrogate PAN values to be outputted outside of the device, it is not possible to determine the original PAN knowing only the surrogate value. Where a hash function is used to generate surrogate PAN values:
• Input to the hash function must use a salt with minimum length of 64 bits.
• The salt is kept secret and appropriately protected.
• Disclosure of the salt cannot occur without requiring an attack potential of at least 16 per device for identification and initial exploitation with a minimum of 8 for exploitation, as defined in Appendix B.
B25 The device has characteristics that prevent or significantly deter the use of the device for exhaustive PAN determination.
B26 Secure enablement tokens are required from the SPoC monitor system for operation …
If the device is capable of generating surrogate PAN values to be outputted outside of the device, it is not possible to determine the original PAN knowing only the surrogate value. Where a hash function is used to generate surrogate PAN values:
• Input to the hash function must use a salt with minimum length of 64 bits.
• The salt is kept secret and appropriately protected.
• Disclosure of the salt cannot occur without requiring an attack potential of at least 16 per device for identification and initial exploitation with a minimum of 8 for exploitation, as defined in Appendix B.
B25 The device has characteristics that prevent or significantly deter the use of the device for exhaustive PAN determination.
B26 Secure enablement tokens are required from the SPoC monitor system for operation …
Added
p. 25
Note: If the POI device has a keypad that can be used to enter non-PIN data, the device must meet at least one of the following: A8, B15, or C2.4.
• A8 applies to any components or paths containing plaintext display signals between the cryptographic processor and display unit.
• B15 applies to devices that allow for updates of prompts or use cryptography to communicate with a display, whether performed by the vendor or the acquirer.
• C2.4 is appropriate for unattended devices that do not meet any of the aforementioned.
C2.4 The POI (application) must enforce the correspondence between the display messages visible to the cardholder and the operating state (i.e., secure or non-secure mode) of the PIN entry device, e.g., by using cryptographic authentication.
The alteration of the correspondence between the display messages visible to the cardholder and the operating state of the PIN entry device cannot occur without requiring an attack potential …
• A8 applies to any components or paths containing plaintext display signals between the cryptographic processor and display unit.
• B15 applies to devices that allow for updates of prompts or use cryptography to communicate with a display, whether performed by the vendor or the acquirer.
• C2.4 is appropriate for unattended devices that do not meet any of the aforementioned.
C2.4 The POI (application) must enforce the correspondence between the display messages visible to the cardholder and the operating state (i.e., secure or non-secure mode) of the PIN entry device, e.g., by using cryptographic authentication.
The alteration of the correspondence between the display messages visible to the cardholder and the operating state of the PIN entry device cannot occur without requiring an attack potential …
Added
p. 26
D2 The device’s functionality shall not be influenced by logical anomalies such as (but not limited to) unexpected command sequences, unknown commands, commands in a wrong device mode, and supplying wrong parameters or data, which could result in the device outputting the clear-text PIN or other sensitive data.
D6 The device has all the security protocols that are available on the device clearly identified in the Open Protocols
• Protocol Declaration Form. The device vendor provides documentation that describes the implementation and use of the security protocols that are available on the device.
D12 Bluetooth communications must be secured against eavesdropping and man-in-the-middle attacks.
D13 Wi-Fi communications must be securely configured. Protocols with known vulnerabilities must be disabled.
E2 The firmware and any changes thereafter have been inspected and reviewed using a documented and auditable process, and certified as being free from hidden and unauthorized or undocumented functions.
E10 The device vendor has internal policies and …
D6 The device has all the security protocols that are available on the device clearly identified in the Open Protocols
• Protocol Declaration Form. The device vendor provides documentation that describes the implementation and use of the security protocols that are available on the device.
D12 Bluetooth communications must be secured against eavesdropping and man-in-the-middle attacks.
D13 Wi-Fi communications must be securely configured. Protocols with known vulnerabilities must be disabled.
E2 The firmware and any changes thereafter have been inspected and reviewed using a documented and auditable process, and certified as being free from hidden and unauthorized or undocumented functions.
E10 The device vendor has internal policies and …
Added
p. 38
In addition to other applicable requirements, devices implementing open protocols, for example Bluetooth, Wi-Fi and TLS, must be validated against the requirements noted in Implements Open Protocols. Devices implementing SRED must be validated against the requirements in Protects Account Data.
Non-Invasive Attacks − Determining Keys Analysis
• For SCRP applicable whenever reader handles PINs, either offline or online, and has plaintext secret or private PIN-security-related cryptographic keys resident in the device.
Non-Invasive Attacks − Determining Keys Analysis
• For SCRP applicable whenever reader handles PINs, either offline or online, and has plaintext secret or private PIN-security-related cryptographic keys resident in the device.
Added
p. 55
• ticketing/vending or car parking terminals Unprotected Memory Data retained within components, devices, and recording media that reside outside the cryptographic boundary of a secure cryptographic device.
Variant of a Key See Key Variant.
Variant of a Key See Key Variant.
Modified
p. 2
Note to Assessors When protecting this document for use as a form, leave Section 5 (Device Photos) unprotected to allow for insertion of a device-or component photos. Under “Tools / Protect Document,” select “Forms” then “Sections,” and un-check Section 5 as illustrated below.
June 2020 6.0 Public Release Note to Assessors When protecting this document for use as a form, leave Section 7 (Device Photos) unprotected to allow for insertion of a device-or component photos. Under “Tools / Protect Document,” select “Forms” then “Sections,” and un-check Section 5 as illustrated below.
Removed
p. 4
• Equipment Classification guidance for the equipment that is required to identify or exploit device vulnerabilities
• Side-Channel Analysis Standards
• Firmware Scoping Guidance
• Greater granularity and robustness of the underlying PCI-recognized laboratory test procedures for compliance validation of a device to these requirements as detailed in the Derived Test Requirements.
• A companion PCI PTS Questionnaire (where technical details of the device are provided)
• Side-Channel Analysis Standards
• Firmware Scoping Guidance
• Greater granularity and robustness of the underlying PCI-recognized laboratory test procedures for compliance validation of a device to these requirements as detailed in the Derived Test Requirements.
• A companion PCI PTS Questionnaire (where technical details of the device are provided)
Modified
p. 4
Note: Requirements for unattended PIN-acceptance devices currently apply only to POS devices and not to ATMs.
Modified
p. 4
• Secure components for POS terminals: These products also require integration into a final solution to provide PIN transactions. Examples are OEM PIN entry devices and secure (encrypting) card readers.
• Secure components for POS terminals: These products also require integration into a final solution to provide PIN transactions. Examples are OEM PIN entry devices and secure (encrypting) card readers (SCRs) and secure card readers
Modified
p. 4
This version 5 additionally provides for:
This version 6 additionally provides for:
Removed
p. 5
• Enhancements to the information required to be presented in the user-available security policy addressing the proper use of the POI in a secure fashion.
• The Physical Attack Costing Potential Formulas have been updated to reflect a more granular approach for attack times and expertise that more appropriately recognizes security enhancements.
• Firmware scoping guidance has been added to deal with the increasing complexity of device designs to ensure the PTS evaluation scope includes any code that can be construed to be firmware.
• Additional guidance has been added for ensuring that devices are resistant to side-channel-based attacks. Side-channel attacks are those based on analyzing emanations from a device, such as power consumption, for the determination of sensitive information.
• Added criteria for the new Secure Card Reader PIN (SCRP) approval class.
• The Physical Attack Costing Potential Formulas have been updated to reflect a more granular approach for attack times and expertise that more appropriately recognizes security enhancements.
• Firmware scoping guidance has been added to deal with the increasing complexity of device designs to ensure the PTS evaluation scope includes any code that can be construed to be firmware.
• Additional guidance has been added for ensuring that devices are resistant to side-channel-based attacks. Side-channel attacks are those based on analyzing emanations from a device, such as power consumption, for the determination of sensitive information.
• Added criteria for the new Secure Card Reader PIN (SCRP) approval class.
Removed
p. 7
The evaluation of physical security characteristics is very much a value judgment. Virtually any physical barrier can be defeated with sufficient time and effort. Therefore, many of the requirements have minimum attack calculation values for the identification and initial exploitation of the device based upon factors such as attack time, and expertise and equipment required. Given the evolution of attack techniques and technology, the Associations will periodically review these amounts for appropriateness.
Device Management Device management considers how the device is produced, controlled, transported, stored and used throughout its life cycle. If the device is not properly managed, unauthorized modifications might be made to its physical or logical security characteristics.
Device Management Device management considers how the device is produced, controlled, transported, stored and used throughout its life cycle. If the device is not properly managed, unauthorized modifications might be made to its physical or logical security characteristics.
Modified
p. 7 → 6
Evaluation Domains Device characteristics are those attributes of the device that define its physical and its logical (functional) characteristics. The physical security characteristics of the device are those attributes that deter a physical attack on the device, for example, the penetration of the device to determine its key(s) or to plant a sensitive data-disclosing “bug” within it. Logical security characteristics include those functional capabilities that preclude, for example, allowing the device to output a clear-text PIN-encryption key.
Evaluation Domains Device characteristics are those attributes of the device that define its physical and its logical (functional) characteristics. The physical security characteristics of the device are those attributes that deter a physical attack on the device⎯for example, the penetration of the device to determine its key(s) or to plant a sensitive data-disclosing “bug” within it. Logical security characteristics include those functional capabilities that preclude, for example, allowing the device to output a clear-text PIN-encryption key.
Modified
p. 7 → 6
This document is only concerned with the device management for POI devices up to the point of initial key loading for payment transaction keys (keys used by the acquiring organization) or at the facility of initial deployment. Subsequent to receipt of the device at the initial key-loading facility or at the facility of initial deployment, the responsibility for the device falls to the acquiring financial institution and its agents (e.g., merchants and processors), and is covered by the operating rules …
This document is only concerned with the life cycle for POI devices up to the point of initial key loading for payment transaction keys (keys used by the acquiring organization) or at the facility of initial deployment. Subsequent to receipt of the device at the initial key-loading facility or at the facility of initial deployment, the responsibility for the device falls to the acquiring financial institution and its agents (e.g., merchants and processors), and is covered by the operating rules …
Removed
p. 10
Yes No N/A Core PIN Entry Security POS Terminal Integration Open Protocols Secure Reading and Exchange of Data Device Management Always Applicable:
Modified
p. 10 → 9
Application Version Number*: (if applicable) Version of PCI PTS POI Security Requirements: V5 FAQ version:
Application Version Number*: (if applicable) Version of PCI PTS POI Security Requirements: v6 FAQ version:
Modified
p. 10 → 9
* Fields marked with an asterisk (*) will be used in the PCI SSC Approved PIN Transaction Security Devices Approval List. A See “Optional Use of Variables in the Identifier,” following page.
* Fields marked with an asterisk (*) will be used in the PCI SSC Approved PIN Transaction Security Devices Approval List.
Modified
p. 11 → 10
PCI SSC Website Other Device Photos Photo(s) of device or component (if applicable) * Photos must show information for a Device Form Factor as noted in the Program Guide Please attach a photo(s) of the terminal under evaluation, 320x320 pixels.
Modified
p. 14
Link Layer Protocols Yes IP Protocols Yes Security Protocols Yes IP Services Yes Port Number Secure Reading and Exchange of Data Module Fields marked with an asterisk (*) will be used in the PCI SSC Approved PIN Transaction Security Devices List.
Link Layer Protocols Yes IP Protocols Yes Security Protocols Yes IP Services Yes Port Number Secure Reading and Exchange of Data Requirements Fields marked with an asterisk (*) will be used in the PCI SSC Approved PIN Transaction Security Devices List.
Removed
p. 15
3: Open Protocols Open Protocols A set of requirements that ensures PIN entry devices using open security protocols and open communication protocols to access public networks and services do not have public domain vulnerabilities.
4: Secure Reading and Exchange of Data Requirements in support of cardholder account data encryption A set of requirements that ensures cardholder data is protected.
4: Secure Reading and Exchange of Data Requirements in support of cardholder account data encryption A set of requirements that ensures cardholder data is protected.
Modified
p. 15
Evaluation Module Requirements Set Remarks Requirements Physical and logical Security The core logical and physical requirements of PIN-acceptance POI devices 2: POS Terminal Integration POS Terminal Integration The PCI PTS POI approval framework is oriented to the evaluation of integrated PIN entry devices (i.e., device where PIN entry functionality is in a secure logical and physical perimeter).
Evaluation Module Requirements Set Remarks 1: Physical and Logical Requirements Physical and Logical Security The logical and physical requirements of POI devices 2: POS Terminal Integration POS Terminal Integration The PCI PTS POI approval framework is oriented to the evaluation of integrated PIN entry devices (i.e., device where PIN entry functionality is in a secure logical and physical perimeter).
Modified
p. 15
4: Life Cycle Device Management (Manufacturing and initial key loading) Life cycle requirements for POIs and their components up until the point of initial key loading. The information is not currently validated but is still required for vendors to complete.
Removed
p. 16
Note: The replacement of both the front and rear casings shall be considered as part of any attack scenario.
A2 The security of the device is not compromised by altering:
A4 There is no feasible way to determine any entered and internally transmitted PIN digit by monitoring sound, electro-magnetic emissions, power consumption or any other external characteristic available for monitoring
•even with the cooperation of the device operator or sales clerk
•without requiring an attack potential of at least 26 for identification and initial exploitation with a minimum of 13 for exploitationC.
B As defined in Appendix B of the PCI PTS POI DTRs. C As defined in Appendix B of the PCI PTS POI DTRs.
A2 The security of the device is not compromised by altering:
A4 There is no feasible way to determine any entered and internally transmitted PIN digit by monitoring sound, electro-magnetic emissions, power consumption or any other external characteristic available for monitoring
•even with the cooperation of the device operator or sales clerk
•without requiring an attack potential of at least 26 for identification and initial exploitation with a minimum of 13 for exploitationC.
B As defined in Appendix B of the PCI PTS POI DTRs. C As defined in Appendix B of the PCI PTS POI DTRs.
Modified
p. 16
Note: In the following requirements, the device under evaluation is referred to as the “device.” Number Description of Requirement Yes No N/A A1 The device uses tamper-detection and response mechanisms that cause it to become immediately inoperable and result in the automatic and immediate erasure of any sensitive data that may be stored in the device, such that it becomes infeasible to recover the sensitive data. These mechanisms protect against physical penetration of the device by means of (but not …
Note: In the following requirements, the device under evaluation is referred to as the “device.” Number Description of Requirement Yes No N/A A1 The device uses tamper-detection and response mechanisms that cause it to become immediately inoperable and result in the automatic and immediate erasure of any sensitive data that may be stored in the device, such that it becomes infeasible to recover the sensitive data. These mechanisms protect against physical penetration of the device by means of (but not …
Modified
p. 16
• Operational conditions (An example includes subjecting the device to temperatures or operating voltages outside the stated operating ranges.) A3 Sensitive functions or data are only used in the protected area(s) of the device. Sensitive data and functions dealing with sensitive data are protected from unauthorized modification without requiring an attack potential of at least 26 for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader, for identification and initial exploitationB.
• Operational conditions (An example includes subjecting the device to temperatures or operating voltages outside the stated operating ranges.) A4 Sensitive functions or data are only used in the protected area(s) of the device. Sensitive data and functions dealing with sensitive data are protected from unauthorized modification without requiring an attack potential of at least 26 for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader, for identification and initial exploitation.B B …
Removed
p. 17
A7 The device provides a means to deter the visual observation of PIN values as they are being entered by the cardholder.
A9 Secure components intended for unattended devices contain an anti- removal mechanism to protect against unauthorized removal and/or unauthorized re-installation. Defeating or circumventing this mechanism must require an attack potential of at least 18 per device for identification and initial exploitation, with a minimum of 9 for exploitationD.
A10 If PIN entry is accompanied by audible tones, the tone for each entered PIN digit is indistinguishable from the tone for any other entered PIN digit.
A9 Secure components intended for unattended devices contain an anti- removal mechanism to protect against unauthorized removal and/or unauthorized re-installation. Defeating or circumventing this mechanism must require an attack potential of at least 18 per device for identification and initial exploitation, with a minimum of 9 for exploitationD.
A10 If PIN entry is accompanied by audible tones, the tone for each entered PIN digit is indistinguishable from the tone for any other entered PIN digit.
Modified
p. 17
Note: If the POI device has a keypad that can be used to enter non-PIN data, the device must meet at least one of the following: A6, B16, or E3.4.
Note: If the POI device has a keypad that can be used to enter non-PIN data, the device must meet at least one of the following: A8, B15, or C2.4.
Modified
p. 17
• A6 applies to any components or paths containing plaintext display signals between the cryptographic processor and display unit.
• A8 applies to any components or paths containing plaintext display signals between the cryptographic processor and display unit.
Modified
p. 17
• B16 applies to devices that allow for updates of prompts or use cryptography to communicate with a display, whether performed by the vendor or the acquirer.
• B15 applies to devices that allow for updates of prompts or use cryptography to communicate with a display, whether performed by the vendor or the acquirer.
Modified
p. 17
• E3.4 is appropriate for unattended devices that do not meet any of the aforementioned.
• C2.4 is appropriate for unattended devices that do not meet any of the aforementioned.
Modified
p. 17
A8 The unauthorized alteration of prompts for non-PIN data entry into the PIN entry key pad such that PINs are compromised, i.e., by prompting for the PIN entry when the output is not encrypted, cannot occur without requiring an attack potential of at least 18 per device for identification and initial exploitation with a minimum of 9 for exploitation.C A9 The device provides a means to deter the visual observation of PIN values as they are being entered by the …
Modified
p. 17 → 18
A13 It is neither feasible to penetrate the ICC reader to make any additions, substitutions, or modifications to either the ICC reader’s hardware or software, in order to determine or modify any sensitive data, without requiring an attack potential of at least 20 for identification and initial exploitation, with a minimum of 10 for exploitation,D nor is it possible for both an IC card and any other foreign object to reside within the card- insertion slot.
Removed
p. 18
B2 The device’s functionality shall not be influenced by logical anomalies such as (but not limited to) unexpected command sequences, unknown commands, commands in a wrong device mode and supplying wrong parameters or data which could result in the device outputting the clear- text PIN or other sensitive data.
B3 The firmware and any changes thereafter have been inspected and reviewed using a documented and auditable process, and certified as being free from hidden and unauthorized or undocumented functions.
B3 The firmware and any changes thereafter have been inspected and reviewed using a documented and auditable process, and certified as being free from hidden and unauthorized or undocumented functions.
Modified
p. 18 → 19
B2 The device must support firmware updates. The device must cryptographically authenticate the firmware and if the authenticity is not confirmed, the firmware update is rejected and deleted.
Modified
p. 18 → 19
B2.1 The firmware must support the authentication of applications loaded onto the terminal consistent with B2.
Modified
p. 18 → 19
B2.2 The vendor must provide a defined and documented process containing specific details on how any signing mechanisms must be implemented. This must include any “turnkey” systems required for compliance with the management of display prompts, or any mechanisms used for authenticating any application code. This must ensure:
Modified
p. 18 → 19
• Software is only signed using a secure cryptographic device provided by the terminal vendor.
• Software is only signed using a secure cryptographic device (e.g., smartcard) provided by the terminal vendor.
Modified
p. 18 → 19
B3 The device never displays the entered PIN digits. Any array related to PIN entry displays only non-significant symbols, e.g., asterisks. If PIN entry is accompanied by audible tones, the tone for each entered PIN digit is indistinguishable from the tone for any other entered PIN digit.
Modified
p. 19
The device must automatically clear its internal buffers when either:
The device must automatically clear its internal buffers of full track data (or chip equivalent) and sensitive authentication data is cleared when either:
Modified
p. 19 → 20
B6 To minimize the risks from unauthorized use of sensitive services, limits on the number of actions that can be performed, and a time limit imposed, after which the device is forced to return to its normal mode.
Modified
p. 19 → 20
B7 If random numbers are generated by the device in connection with security over sensitive data, the random number generator has been assessed to ensure it is generating numbers sufficiently unpredictable.
Modified
p. 19 → 20
B8 The device has characteristics that prevent or significantly deter the use of the device for exhaustive PIN determination.
Modified
p. 19 → 20
B9 The key-management techniques implemented in the device conform to ISO 11568 and/or ANSI X9.24. Key-management techniques must support key blocks as defined in DTR B9.
Modified
p. 19 → 20
B11 The PIN-encryption technique implemented in the device is a technique included in ISO 9564.
Modified
p. 19 → 20
B12 It is not possible to encrypt or decrypt any arbitrary data using any PIN- encrypting key, account data encryption, data-encrypting key, or key- encrypting key contained in the device.
Modified
p. 19 → 20
The device must enforce that data keys, key-encipherment keys, and PIN-encryption keys have different values.
The device must enforce that PIN encryption, account data encryption, data-encryption keys and key-encipherment keys have different values.
Modified
p. 19 → 20
B13 There is no mechanism in the device that would allow the outputting of a private or secret clear-text key or clear-text PIN, the encryption of a key or PIN under a key that might itself be disclosed, or the transfer of a clear-text key from a component of high security into a component of lesser security.
Modified
p. 20 → 21
Note: If the POI device has a keypad that can be used to enter non-PIN data, the device must meet at least one of the following: A6, B16, or E3.4.
Note: If the POI device has a keypad that can be used to enter non-PIN data, the device must meet at least one of the following: A8, B15, or C2.4.
Modified
p. 20 → 21
• A6 applies to any components or paths containing plaintext display signals between the cryptographic processor and display unit.
• A8 applies to any components or paths containing plaintext display signals between the cryptographic processor and display unit.
Modified
p. 20 → 21
• B16 applies to devices that allow for updates of prompts or use cryptography to communicate with a display, whether performed by the vendor or the acquirer.
• B15 applies to devices that allow for updates of prompts or use cryptography to communicate with a display, whether performed by the vendor or the acquirer.
Modified
p. 20 → 21
• E3.4 is appropriate for unattended devices that do not meet any of the aforementioned.
• C2.4 is appropriate for unattended devices that do not meet any of the aforementioned.
Modified
p. 20 → 21
B15 All prompts for non-PIN data entry are under the control of the cryptographic unit of the device. If the prompts are stored inside the cryptographic unit, they cannot feasibly be altered without causing the erasure of the unit’s cryptographic keys. If the prompts are stored outside the cryptographic unit, cryptographic mechanisms must exist to ensure the authenticity and the proper use of the prompts and that modification of the prompts or improper use of the prompts is prevented.
Modified
p. 20 → 21
B16 If the device supports multiple applications, it must enforce the separation between applications. It must not be possible that one application interferes with or tampers with another application or the OS of the device including, but not limited to, modifying data objects belonging to another application or the OS.
Modified
p. 20 → 21
B17 The operating system of the device must contain only the software (components and services) necessary for the intended operation. The operating system must be configured securely and run with least privilege.
Removed
p. 21
D
• Offline PIN Security Requirements Number Description of Requirement Yes No N/A D1 It is neither feasible to penetrate the ICC reader to make any additions, substitutions, or modifications to either the ICC reader’s hardware or software, in order to determine or modify any sensitive data, without requiring an attack potential of at least 20 for identification and initial exploitation, with a minimum of 10 for exploitationE, nor is it possible for both an IC card and any other foreign object to reside within the card insertion slot.
D2 The opening for the insertion of the IC card is in full view of the cardholder during card insertion so that any untoward obstructions or suspicious objects at the opening are detectable.
D3 The ICC reader is constructed so that wires running out of the slot of the IC reader to a recorder or a transmitter (an external bug) can be observed by …
• Offline PIN Security Requirements Number Description of Requirement Yes No N/A D1 It is neither feasible to penetrate the ICC reader to make any additions, substitutions, or modifications to either the ICC reader’s hardware or software, in order to determine or modify any sensitive data, without requiring an attack potential of at least 20 for identification and initial exploitation, with a minimum of 10 for exploitationE, nor is it possible for both an IC card and any other foreign object to reside within the card insertion slot.
D2 The opening for the insertion of the IC card is in full view of the cardholder during card insertion so that any untoward obstructions or suspicious objects at the opening are detectable.
D3 The ICC reader is constructed so that wires running out of the slot of the IC reader to a recorder or a transmitter (an external bug) can be observed by …
Modified
p. 21
• Online PIN Security Requirement Number Description of Requirement Yes No N/A C1
B18 If the device can hold multiple PIN-encryption keys and if the key to be used to encrypt the PIN can be externally selected, the device prohibits unauthorized key replacement and key misuse.
Modified
p. 23 → 24
Note: In the following requirements, the device under evaluation is referred to as the “device.” Number Description of Requirement Yes No N/A Configuration Management E1 Any secure component integrated into a PIN entry POI terminal submitted for evaluation has a clearly identified physical and logical security perimeter (related to PIN entry and card-reading functions).
Note: In the following requirements, the device under evaluation is referred to as the “device.” Number Description of Requirement Yes No N/A Integration of PIN Entry Functions C1.1 The logical and physical integration of a PCI-approved secure component (or components) into a PIN entry POI terminal must not impact the overall PIN protection level.
Modified
p. 23 → 24
Integration of PIN Entry Functions E2.1 The logical and physical integration of a PCI-approved secure component (or components) into a PIN entry POI terminal must not impact the overall PIN protection level.
Integration into a POS Terminal C2.1 The logical and physical integration of an approved secure component into a PIN entry POI terminal does not create new attack paths to the PIN.
Modified
p. 23 → 24
C1.2 The PIN pad (PIN entry area) and the surrounding area must be designed and engineered in such a way that the complete device does not facilitate the fraudulent placement of an overlay over the PIN pad.
Modified
p. 23 → 24
An overlay attack must require an attack potential of at least 18 for identification and initial exploitation, with a minimum of 9 for exploitationF.
An overlay attack must require an attack potential of at least 18 for identification and initial exploitation, with a minimum of 9 for exploitationE.
Removed
p. 24
E3.2 The PIN entry POI terminal is equipped with mechanisms to prevent attacks aiming at retaining and stealing the payment card (e.g., Lebanese Loop attack).
E3.3 There is a clear logical and/or physical segregation between secure components and non-secure components integrated into the same device.
Note: If the POI device has a keypad that can be used to enter non-PIN data, the device must meet at least one of the following: A6, B16, or E3.4.
• A6 applies to any components or paths containing plaintext display signals between the cryptographic processor and display unit.
• B16 applies to devices that allow for updates of prompts or use cryptography to communicate with a display, whether performed by the vendor or the acquirer.
• E3.4 is appropriate for unattended devices that do not meet any of the aforementioned.
E3.4 The POI (application) must enforce the correspondence between the display messages visible to the cardholder and the operating state …
E3.3 There is a clear logical and/or physical segregation between secure components and non-secure components integrated into the same device.
Note: If the POI device has a keypad that can be used to enter non-PIN data, the device must meet at least one of the following: A6, B16, or E3.4.
• A6 applies to any components or paths containing plaintext display signals between the cryptographic processor and display unit.
• B16 applies to devices that allow for updates of prompts or use cryptography to communicate with a display, whether performed by the vendor or the acquirer.
• E3.4 is appropriate for unattended devices that do not meet any of the aforementioned.
E3.4 The POI (application) must enforce the correspondence between the display messages visible to the cardholder and the operating state …
Removed
p. 25
Removal Requirements E4.1 The device is protected against unauthorized removal. Defeating or circumventing this mechanism must require an attack potential of at least 18 per device for identification and initial exploitation, with a minimum of 9 for exploitationH.
E4.2 The vendor documents, maintains and makes available to integrators details on how to implement the protection system against unauthorized removal.
E4.3 For each embedded device, the protection system against unauthorized removal is properly implemented as documented by the embedded device manufacturer.
H As defined in Appendix B of the PCI PTS POI DTRs.
E4.2 The vendor documents, maintains and makes available to integrators details on how to implement the protection system against unauthorized removal.
E4.3 For each embedded device, the protection system against unauthorized removal is properly implemented as documented by the embedded device manufacturer.
H As defined in Appendix B of the PCI PTS POI DTRs.
Removed
p. 26
This table must be completed considering all open protocol interfaces in its entirety. Answer “Yes” if all the options declared in the Open Protocols Module
• Protocol Declaration Form are meet these security requirements.
Number Description of Requirement Yes No N/A F1 All public domain protocols and interfaces available on the device are clearly identified in the Open Protocols Module
• Protocol Declaration Form. All protocols and interfaces available on the device are accurately identified by the device vendor. The vendor has a complete and comprehensive understanding of how all protocols and interfaces present on the device interact.
• Protocol Declaration Form are meet these security requirements.
Number Description of Requirement Yes No N/A F1 All public domain protocols and interfaces available on the device are clearly identified in the Open Protocols Module
• Protocol Declaration Form. All protocols and interfaces available on the device are accurately identified by the device vendor. The vendor has a complete and comprehensive understanding of how all protocols and interfaces present on the device interact.
Removed
p. 27
This table must be completed considering the vulnerability assessment in its entirety. Answer “Yes” if all the options declared in the Open Protocols Module
• Protocol Declaration Form meet these security requirements.
Number Description of Requirement Yes No N/A G1 The device vendor has internal policies and procedures that ensure that the vendor maintains an effective process for detecting vulnerabilities that may exist within their device. This process is expected to be robust enough to include all interfaces defined in requirement F1. This process must be effective enough to detect vulnerabilities which may have not been publicly known during the last vulnerability assessment.
G2 The device has undergone a vulnerability assessment to ensure that the protocols and interfaces list in F1 do not contain exploitable vulnerabilities.
G3 The device vendor has vulnerability disclosure measures in place for the device.
• Protocol Declaration Form meet these security requirements.
Number Description of Requirement Yes No N/A G1 The device vendor has internal policies and procedures that ensure that the vendor maintains an effective process for detecting vulnerabilities that may exist within their device. This process is expected to be robust enough to include all interfaces defined in requirement F1. This process must be effective enough to detect vulnerabilities which may have not been publicly known during the last vulnerability assessment.
G2 The device has undergone a vulnerability assessment to ensure that the protocols and interfaces list in F1 do not contain exploitable vulnerabilities.
G3 The device vendor has vulnerability disclosure measures in place for the device.
Removed
p. 28
This table must be completed considering the vendor guidance in its entirety. Answer “Yes” if all the open protocols and interfaces declared in the Open Protocols Module
• Protocol Declaration Form meet these security requirements.
• Protocol Declaration Form meet these security requirements.
Modified
p. 28 → 26
D3 The device has security guidance that describes how protocols and services must be used for each interface that is accessible by the device applications.
Modified
p. 28 → 26
D4 The device has guidance that describes the default configuration for each protocol and services for each interface that is available on the device. Each interface and protocol on the device should be configured with secure default settings.
Modified
p. 28 → 26
D5 The device has guidance for key management describing how keys and certificates must be used.
Modified
p. 28 → 26
a) The key-management guidance is at the disposal of internal users and/or of application developers, system integrators, and end- users of the device.
a) The key-management guidance is at the disposal of internal users and/or of application developers, system integrators, and end-users of the device.
Removed
p. 29
This table must be completed considering the operational testing in its entirety. Answer “Yes” if all the open protocols and interfaces declared in the Open Protocols Module
• Protocol Declaration Form meet the security requirement.
Table I: Operational Testing in their Entirety Number Description of Requirement Yes No N/A I1 The device has all the security protocols that are available on the device clearly identified in the Open Protocols Module
• Protocol Declaration Form. The device vendor provides documentation that describes the implementation and use of the security protocols that are available on the device.
I2 The device is able to provide confidentiality of data sent over a network connection.
• Protocol Declaration Form meet the security requirement.
Table I: Operational Testing in their Entirety Number Description of Requirement Yes No N/A I1 The device has all the security protocols that are available on the device clearly identified in the Open Protocols Module
• Protocol Declaration Form. The device vendor provides documentation that describes the implementation and use of the security protocols that are available on the device.
I2 The device is able to provide confidentiality of data sent over a network connection.
Modified
p. 29 → 27
D8 As defined in the asset flow diagrams, the device is able to provide the integrity of data that is sent over a network connection.
Modified
p. 29 → 27
D9 As defined in the asset flow diagrams, the device uses a declared security protocol to authenticate the server.
Removed
p. 30
I6 The device implements session management.
Modified
p. 30 → 27
e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer.
e) The device’s trusted root certificate store shall contain only public key certificates from trusted CAs or else self-signed certificates verified by the acquirer.
Modified
p. 30 → 27
D10 As defined in the asset flow diagrams, the device is able to detect replay of messages and enables the secure handling of the exceptions.
Removed
p. 31
This table must be completed considering the operational testing in its entirety.
Number Description of Requirement Yes No N/A J1 The device vendor maintains guidance describing configuration management for the device.
a) The guidance is at the disposal of internal users, and/or of application developers, system integrators and end-users of the device.
b) The guidance covers the complete device•including firmware, payment and non-payment applications, forms, multimedia files, certificates, configuration files, configuration setting, and keys.
c) The guidance covers the complete life cycle of the device from development, over manufacturing, up to delivery and operation.
d) The security guidance ensures that unauthorized modification is not possible.
e) The security guidance ensures that any modification of a PTS- approved device that impacts device security, results in a change of the device identifier.
J2 The device vendor has maintenance measures in place.
b) The maintenance measures ensure timely detection of vulnerabilities that apply to the device by periodic execution of a …
Number Description of Requirement Yes No N/A J1 The device vendor maintains guidance describing configuration management for the device.
a) The guidance is at the disposal of internal users, and/or of application developers, system integrators and end-users of the device.
b) The guidance covers the complete device•including firmware, payment and non-payment applications, forms, multimedia files, certificates, configuration files, configuration setting, and keys.
c) The guidance covers the complete life cycle of the device from development, over manufacturing, up to delivery and operation.
d) The security guidance ensures that unauthorized modification is not possible.
e) The security guidance ensures that any modification of a PTS- approved device that impacts device security, results in a change of the device identifier.
J2 The device vendor has maintenance measures in place.
b) The maintenance measures ensure timely detection of vulnerabilities that apply to the device by periodic execution of a …
Modified
p. 31
a) The maintenance measures are documented.
a) The vulnerability-disclosure measures are documented.
Modified
p. 31
c) The vulnerability-disclosure measures ensure a timely distribution of mitigation measures.
Removed
p. 33
K
• Account Data Protection Number Description of Requirement Yes No N/A Generic Security Requirements K1 All account data is either encrypted immediately upon entry or entered in clear-text into a secure device and processed within the secure controller of the device.
K1.1 The device protects all account data upon entry (consistent with A8 for magnetic stripe data and D1 for Chip data), and there is no method of accessing the clear-text account data (using methods described in A1) without defeating the security of the device. Defeating or circumventing the security mechanism requires an attack potential of at least 16 for identification and initial exploitation, with a minimum of 8 for exploitationI.
Note: MSRs and ICCRs must meet the attack potentials stipulated in DTRs A8 and D1 respectively.
K2 The logical and physical integration of an approved secure card reader into a PIN entry POI terminal does not create new attack paths to the …
• Account Data Protection Number Description of Requirement Yes No N/A Generic Security Requirements K1 All account data is either encrypted immediately upon entry or entered in clear-text into a secure device and processed within the secure controller of the device.
K1.1 The device protects all account data upon entry (consistent with A8 for magnetic stripe data and D1 for Chip data), and there is no method of accessing the clear-text account data (using methods described in A1) without defeating the security of the device. Defeating or circumventing the security mechanism requires an attack potential of at least 16 for identification and initial exploitation, with a minimum of 8 for exploitationI.
Note: MSRs and ICCRs must meet the attack potentials stipulated in DTRs A8 and D1 respectively.
K2 The logical and physical integration of an approved secure card reader into a PIN entry POI terminal does not create new attack paths to the …
Removed
p. 34
K6 The device supports data origin authentication of encrypted messages.
K7 Secret and private keys that reside within the device to support account data encryption are unique per device.
K8 Encryption or decryption of any arbitrary data using any account data- encrypting key or key-encrypting key contained in the device is not permitted.
The device must enforce that account data keys, key-encipherment keys, and PIN-encryption keys have different values.
K9 If the device may be accessed remotely for the purposes of administration, all access attempts must be cryptographically authenticated. If the authenticity of the access request cannot be confirmed, the access request is denied.
K10 The firmware, and any changes thereafter, have been inspected and reviewed consistent with B3.
K11.1 The firmware must confirm the authenticity of all applications loaded onto the terminal consistent with B4. If the device allows software application and/or configuration updates, the device cryptographically authenticates all updates consistent with B4.
K11.2 The vendor …
K7 Secret and private keys that reside within the device to support account data encryption are unique per device.
K8 Encryption or decryption of any arbitrary data using any account data- encrypting key or key-encrypting key contained in the device is not permitted.
The device must enforce that account data keys, key-encipherment keys, and PIN-encryption keys have different values.
K9 If the device may be accessed remotely for the purposes of administration, all access attempts must be cryptographically authenticated. If the authenticity of the access request cannot be confirmed, the access request is denied.
K10 The firmware, and any changes thereafter, have been inspected and reviewed consistent with B3.
K11.1 The firmware must confirm the authenticity of all applications loaded onto the terminal consistent with B4. If the device allows software application and/or configuration updates, the device cryptographically authenticates all updates consistent with B4.
K11.2 The vendor …
Removed
p. 35
K15.1 When operating in encrypting mode, the secure controller can only release clear-text account data to authenticated applications executing within the device.
K15.2 Account data (in either clear-text or encrypted form) shall not be retained any longer, or used more often, than strictly necessary.
K16 If the device is capable of generating surrogate PAN values to be outputted outside of the device, it is not possible to determine the original PAN knowing only the surrogate value.
K16.1 If using a hash function to generate surrogate PAN values, input to the hash function must use a salt with minimum length of 64 bits.
K16.2 If using a hash function to generate surrogate PAN values, the salt is kept secret and appropriately protected. Disclosure of the salt cannot occur without requiring an attack potential of at least 16 per device for identification and initial exploitation with a minimum of 8 for exploitationJ.
K17 The key-management techniques implemented …
K15.2 Account data (in either clear-text or encrypted form) shall not be retained any longer, or used more often, than strictly necessary.
K16 If the device is capable of generating surrogate PAN values to be outputted outside of the device, it is not possible to determine the original PAN knowing only the surrogate value.
K16.1 If using a hash function to generate surrogate PAN values, input to the hash function must use a salt with minimum length of 64 bits.
K16.2 If using a hash function to generate surrogate PAN values, the salt is kept secret and appropriately protected. Disclosure of the salt cannot occur without requiring an attack potential of at least 16 per device for identification and initial exploitation with a minimum of 8 for exploitationJ.
K17 The key-management techniques implemented …
Removed
p. 36
• The operating system of the device must contain only the software (components and services) necessary for the intended operation.
• The operating system must be configured securely and run with least privilege.
• The security policy enforced by the device must not allow unauthorized or unnecessary functions.
• API functionality and commands that are not required to support specific functionality must be disabled (and where possible, removed).
K22 Access to sensitive services requires authentication. Sensitive services provide access to the underlying sensitive functions. Sensitive functions are those functions that process sensitive data such as cryptographic keys, account data, and passwords/authentication codes. Entering or exiting sensitive services shall not reveal or otherwise affect sensitive data.
K23 Sensitive services are protected from unauthorized use consistent with B8.
K24 Secure enablement tokens are required from the SPoC monitor system for operation of the SCRP.
• The operating system must be configured securely and run with least privilege.
• The security policy enforced by the device must not allow unauthorized or unnecessary functions.
• API functionality and commands that are not required to support specific functionality must be disabled (and where possible, removed).
K22 Access to sensitive services requires authentication. Sensitive services provide access to the underlying sensitive functions. Sensitive functions are those functions that process sensitive data such as cryptographic keys, account data, and passwords/authentication codes. Entering or exiting sensitive services shall not reveal or otherwise affect sensitive data.
K23 Sensitive services are protected from unauthorized use consistent with B8.
K24 Secure enablement tokens are required from the SPoC monitor system for operation of the SCRP.
Modified
p. 37 → 29
Note: In the following requirements, the device under evaluation is referred to as the “device.” The device manufacturer, subject to PCI payment brand site inspections, confirms the following. The PCI test laboratories will validate this information via documentation reviews, and by means of evidence that procedures are properly implemented and used. Any variances to these requirements will be reported to PCI for review.
Note: In the following requirements, the device under evaluation is referred to as the “device.” The device manufacturer, subject to PCI payment brand site inspections, confirms the following. The PCI test laboratories will validate this information via documentation reviews, and by means of evidence that procedures are properly implemented and used. This information shall be included in the evaluation report to PCI.
Modified
p. 37 → 29
Number Description of Requirement Yes No N/A L1 Change-control procedures are in place so that any intended change to the physical or functional capabilities of the POI causes a re- certification of the device under the impacted security requirements of this document. Immediate re-certification is not required for changes that purely rectify errors and faults in software in order to make it function as intended and do not otherwise remove, modify, or add functionality that impacts security. Approval of delta …
Number Description of Requirement Yes No N/A E1 Change-control procedures are in place so that any intended change to the physical or functional capabilities of the POI causes a re- certification of the device under the impacted security requirements of this document. Re-certification is not required for changes that purely rectify errors and faults in software in order to make it function as intended and do not otherwise remove, modify, or add functionality that impacts security. Approval of delta submissions …
Modified
p. 37 → 29
E3 The certified firmware is protected and stored in such a manner as to preclude unauthorized modification during its entire manufacturing life cycle•e.g., by using dual control or standardized cryptographic authentication procedures.
Modified
p. 37 → 29
E4 The device is assembled in a manner that the hardware components used in the manufacturing process are those hardware components that were certified by the PIN Entry and/or POS Terminal Integration Security Requirements evaluation, and that unauthorized substitutions have not been made.
Modified
p. 37 → 29
E5 Production software (e.g., firmware) that is loaded to devices at the time of manufacture is transported, stored, and used under the principle of dual control, preventing unauthorized modifications and/or substitutions.
Modified
p. 37 → 29
E6 Subsequent to production but prior to shipment from the manufacturer’s or reseller’s facility, the device and any of its components are stored in a protected, access-controlled area or sealed within tamper-evident packaging to prevent undetected unauthorized access to the device or its components.
Modified
p. 38 → 30
Authentication by secret information will become mandatory in POI v6.
Authentication by secret information is mandatory in POI v6.
Modified
p. 38 → 30
E8 Security measures are taken during the development and maintenance of POI security-related components. The manufacturer must maintain development-security documentation describing all the physical, procedural, personnel, and other security measures that are necessary to protect the integrity of the design and implementation of the POI security-related components in their development environment. The development-security documentation shall provide evidence that these security measures are followed during the development and maintenance of the POI security-related components. The evidence shall justify that the security …
Modified
p. 38 → 30
E9 Controls exist over the repair process at all POI vendor-authorized repair facilities, including the resetting of tamper mechanisms and the inspection/testing process subsequent to repair, to ensure that the device has not been subject to unauthorized modification.
Modified
p. 39 → 32
Note: In the following requirements, the device under evaluation is referred to as the “device.” The device manufacturer, subject to PCI payment brand site inspections, confirms the following. The PCI test laboratories will validate this information via documentation reviews and by means of evidence that procedures are properly implemented and used. Any variances to these requirements will be reported to PCI for review.
Note: In the following requirements, the device under evaluation is referred to as the “device.” The device manufacturer, subject to PCI payment brand site inspections, confirms the following. The PCI test laboratories will validate this information via documentation reviews and by means of evidence that procedures are properly implemented and used and this information shall be included in the evaluation report to PCI.
Modified
p. 39 → 32
Number Description of Requirement Yes No N/A M1 The POI should be protected from unauthorized modification with tamper-detection security features, and customers shall be provided with documentation (both shipped with the product and available securely online) that provides instruction on validating the authenticity and integrity of the POI.
Number Description of Requirement Yes No N/A F1 The POI should be protected from unauthorized modification with tamper-detection security features, and customers shall be provided with documentation (both shipped with the product and available securely online) that provides instruction on validating the authenticity and integrity of the POI.
Modified
p. 39 → 32
Where this is not possible, the POI is shipped from the manufacturer’s facility to the initial key-loading facility or to the facility of initial deployment and stored en route under auditable controls that can account for the location of every POI at every point in time•such as the use of serialized tamper-evident packing for all devices with no tamper detection, in conjunction with thorough physical inspection (possibly including sampling of HW internals) upon reception.
Where this is not possible, the POI is shipped from the manufacturer’s facility to the initial key-loading facility or to the facility of initial deployment and stored enroute under auditable controls that can account for the location of every POI at every point in time•such as the use of serialized tamper-evident packing for all devices with no tamper detection, in conjunction with thorough physical inspection (possibly including sampling of HW internals) upon reception.
Modified
p. 39 → 32
F2 Procedures are in place to transfer accountability for the device from the manufacturer to the facility of initial deployment. Where the device is shipped via intermediaries such as resellers, accountability will be with the intermediary from the time at which they receive the device until the time it is received by the next intermediary or the point of initial deployment. In the absence of defined agreements stipulating otherwise, the POI vendor remains responsible.
Modified
p. 40 → 33
F5 If the manufacturer is in charge of initial key loading, the manufacturer must verify the authenticity of the POI security-related components.
Modified
p. 40 → 33
F6 If the manufacturer is not in charge of initial key loading, the manufacturer must provide the means to the initial key-loading facility to assure the verification of the authenticity of the POI security-related components.
Modified
p. 40 → 33
F7 Each device shall have a unique visible identifier •i.e., model name and hardware version
•affixed to it. This information shall also be retrievable by a query.
•affixed to it. This information shall also be retrievable by a query.
Modified
p. 40 → 33
F8 The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:
Modified
p. 44 → 37
Keys This functionality is considered whenever the device under evaluation contains
•even temporarily
•keys involved in PIN security. Under the scope of this functionality are the secret keys of symmetric algorithms, the private keys of asymmetric algorithms, and the public keys of asymmetric algorithms (with the limitation of scope to their integrity and authenticity).
•even temporarily
•keys involved in PIN security. Under the scope of this functionality are the secret keys of symmetric algorithms, the private keys of asymmetric algorithms, and the public keys of asymmetric algorithms (with the limitation of scope to their integrity and authenticity).
Keys This functionality is considered whenever the device under evaluation contains
•even temporarily
•keys involved in PIN security. Under the scope of this functionality are the secret keys of symmetric algorithms, the private keys of asymmetric algorithms, and the public keys of asymmetric algorithms (with the limitation of scope to their integrity and authenticity). The tamper-detection mechanisms must protect all PIN digits.
•even temporarily
•keys involved in PIN security. Under the scope of this functionality are the secret keys of symmetric algorithms, the private keys of asymmetric algorithms, and the public keys of asymmetric algorithms (with the limitation of scope to their integrity and authenticity). The tamper-detection mechanisms must protect all PIN digits.
Modified
p. 44 → 37
Card Reader This functionality applies whenever a device under evaluation has the capability to capture card data, irrespective of the technology being usedi.e., it encompasses contactless, magnetic-stripe, and smart card readers. This is further broken down into CTLS, ICCR, and MSR functionality.
Card Reader This functionality applies whenever a device under evaluation has the capability to capture card data, irrespective of the technology being used⎯i.e., it encompasses contactless, magnetic-stripe, and smart card readers. This is further broken down into CTLS, ICCR, and MSR functionality.
Modified
p. 44 → 37
Protects Account Data Secures account data in accordance with the Secure Reading and Exchange of Data (SRED) module.
Protects Account Data Secures account data in accordance with the Secure Reading and Exchange of Data (SRED).
Modified
p. 45 → 38
SCRP includes all Core requirements except those specific to PIN entry, display prompt control, unattended usage, and use of magnetic-stripe readers. Note that unattended usage and magnetic-stripe reader requirements may still be applicable to SCRs, but SCRPs are not intended for those use cases.
SCRP includes all Physical and Logical requirements except those specific to PIN entry, display prompt control, unattended usage, and use of magnetic-stripe readers. Note that unattended usage and magnetic-stripe reader requirements may still be applicable to SCRs, but SCRPs are not intended for those use cases.
Modified
p. 46 → 39
Physical Security of Display Prompts − If keypad can be used to enter non-PIN data.
Removed
p. 47
B19 X X X Component Integration Documentation B20 X X X X X X X X X X Additional Online Requirement C1 X Key Substitution Additional Offline Requirements POS Terminal Integration Requirements E1 X X X X X X X X Always applicable.
E3.2 X X X E3.4 X X X If keypad that can be used to enter non-PIN data.
E3.2 X X X E3.4 X X X If keypad that can be used to enter non-PIN data.
Removed
p. 48
Configuration and Maintenance Security Module All X X X X X X X X X X All requirements applicable.
Secure Reading and Exchange of Data Module All requirements applicable except requirement K24, which is only applicable to SCRPs.
Secure Reading and Exchange of Data Module All requirements applicable except requirement K24, which is only applicable to SCRPs.
Modified
p. 50 → 43
Application Application is considered to be any code in the device that does not impact compliance to these security requirements.
Application Application is considered to be any code in the device that does not impact compliance to these security requirements (with the exception of prompt control and SRED applications).
Modified
p. 51 → 44
Clear text See Plaintext.
Modified
p. 52 → 46
Firmware For purposes of these requirements, firmware is considered to be any code within the device that provides security protections needed to comply with device security requirements or can impact compliance to these security requirements. Firmware may be further segmented by code necessary to meet Core, OP or SRED.
Firmware For purposes of these requirements, firmware is considered to be any code within the device that provides security protections needed to comply with device security requirements or can impact compliance to these security requirements. Firmware may be further segmented by code necessary to meet subsets of requirements.
Modified
p. 52 → 46
Other code that exists within the device that does not provide security, and cannot impact security, is not considered firmware.
Other code that exists within the device that does not provide security and cannot impact security
•with the exception of prompt control and SRED applications
•is not considered firmware.
•with the exception of prompt control and SRED applications
•is not considered firmware.
Modified
p. 55 → 49
Key Usage Employment of a key for the cryptographic purpose for which it was intended Key Variant A new key formed by a process (which need not be secret) with the original key, such that one or more of the non-parity bits of the new key differ from the corresponding bits of the original key.
Key Usage Employment of a key for the cryptographic purpose for which it was intended Key Variant A new TDEA key formed by a reversible process (which need not be secret) with the original TDEA key, such that one or more of the non-parity bits of the new key differ from the corresponding bits of the original key.
Modified
p. 56 → 50
Overlay Any additional covering including a fake keypad, placed by fraudsters on top of a genuine PIN entry keypad and generally similar in shape and color, The placement of an overlay may also serve the purpose of concealing other attacks.
Overlay Any additional covering including a fake keypad, placed by fraudsters on top of a genuine PIN entry keypad and generally similar in shape and color. The placement of an overlay may also serve the purpose of concealing other attacks.
Modified
p. 57 → 50
Plaintext Key An unencrypted cryptographic key, used in its current form.
Plaintext Key An unencrypted cryptographic key used in its current form.
Modified
p. 57 → 51
Public Key A cryptographic key, used with a public-key cryptographic algorithm, uniquely associated with an entity, and that may be made public.
Public Key A cryptographic key, used with a public-key cryptographic algorithm uniquely associated with an entity, and that may be made public.
Removed
p. 62
Variant of a Key A new key formed by a process (which need not be secret) with the original key, such that one or more of the non-parity bits of the new key differ from the corresponding bits of the original key.