Document Comparison
HSM_Security_Rqrmts_Modifications-Summary_of_Changes.pdf
→
HSM_Security_Requirements_v3_Summary_of_Changes.pdf
6% similar
7 → 5
Pages
1315 → 1067
Words
9
Content Changes
Content Changes
9 content changes. 8 administrative changes (dates, page numbers) hidden.
Added
p. 1
Payment Card Industry (PCI) PIN Transaction Security (PTS) Hardware Security Module (HSM) Summary of Requirements Changes from Version 2.0 to 3.0
Added
p. 2
Document Abbreviations Used Abbreviation Document Referenced SR / SRs PCI PTS HSM Modular Security Requirements DTR / DTRs PCI PTS HSM Modular Derived Test Requirements VQ PCI PTS HSM Modular Vendor Questionnaire
Table 1: Change Types Change Type Definition Additional Guidance Explanation, definition, and/or instruction to increase understanding or provide further information or guidance on a particular topic.
Table 1: Change Types Change Type Definition Additional Guidance Explanation, definition, and/or instruction to increase understanding or provide further information or guidance on a particular topic.
Added
p. 3
Table 2: Summary of Changes Document and Requirements Change Type SR General, DTRs, and VQ Added approval classes for key-loading devices and HSM remote administration platforms, together with supporting requirements, test scripts, and vendor questions.
Requirement SR General Added references to ISO 9797-1, ISO 18033-1, ISO 18033- 5, NIST SP 800-38B, NIST SP 800-90A Revision 1, and NIST SP 800-131A Revision 1.
Additional Guidance SR A2 Eliminated requirement for Independent Security Mechanisms and added guidance to SR A-1 Requirement SR A3 Eliminated requirement for Response to Internal Access and added guidance to SR A-1 Requirement SR B1 Added allowance for continuous error checking as an option to running self-tests at least once per day Requirement SR B4 Added requirement that devices must support firmware updates Requirement SR B4.1 Added new requirement for the firmware to authenticate applications loaded into the device consistent with B4, including updates and configuration changes.
Requirement SR B8 Clarified …
Requirement SR General Added references to ISO 9797-1, ISO 18033-1, ISO 18033- 5, NIST SP 800-38B, NIST SP 800-90A Revision 1, and NIST SP 800-131A Revision 1.
Additional Guidance SR A2 Eliminated requirement for Independent Security Mechanisms and added guidance to SR A-1 Requirement SR A3 Eliminated requirement for Response to Internal Access and added guidance to SR A-1 Requirement SR B1 Added allowance for continuous error checking as an option to running self-tests at least once per day Requirement SR B4 Added requirement that devices must support firmware updates Requirement SR B4.1 Added new requirement for the firmware to authenticate applications loaded into the device consistent with B4, including updates and configuration changes.
Requirement SR B8 Clarified …
Added
p. 4
• I8 and J1 The PCI test laboratories will now validate device management information via documentation reviews. Any variances to these requirements will be reported to PCI for review. However, this information will only be used for analysis at this time and will not impact whether a device receives an approval.
Requirement SR J1 Clarified the device must be protected from unauthorized modification with tamper detection characteristics and is not restricted to just tamper evidence Requirement Appendices A and B Added appendices to define applicability of requirements to approval classes for HSMs, key-loading devices, and remote administration platforms.
Additional Guidance DTRs Introduction Provided additional guidance for lab reporting criteria, including minimal contents of reports and minimal test activities.
Additional Guidance DTRs Module 1: Core Requirements
• Sections A, B, and C Significantly enhanced test scripts based on leveraging applicable information from POI V4 and to support new approval classes.
Requirement DTR A1 Eliminated ten hours …
Requirement SR J1 Clarified the device must be protected from unauthorized modification with tamper detection characteristics and is not restricted to just tamper evidence Requirement Appendices A and B Added appendices to define applicability of requirements to approval classes for HSMs, key-loading devices, and remote administration platforms.
Additional Guidance DTRs Introduction Provided additional guidance for lab reporting criteria, including minimal contents of reports and minimal test activities.
Additional Guidance DTRs Module 1: Core Requirements
• Sections A, B, and C Significantly enhanced test scripts based on leveraging applicable information from POI V4 and to support new approval classes.
Requirement DTR A1 Eliminated ten hours …
Added
p. 5
Requirement DTR Sections D
• H Added to support new requirements for key-loading devices and remote administration platforms.
Requirement DTR Module 4: Device Management Security Requirements Added to support new requirement for the lab to validate this information via documentation reviews.
Requirement DTR I1 Added stipulation that approval of delta submissions is contingent on evidence of an ongoing change control and vulnerability management process.
Requirement DTR Appendix A Updated Attack Costing Potential Formulas to reflect more granular approach for attack times and expertise Additional Guidance DTR Appendix B Added new appendix detailing equipment classification for physical attack costing purposes for use with Appendix A Additional Guidance DTR Appendix C Updated information on the configuration and use of the STS tool.
Additional Guidance DTR Appendix D Updated guidance on the use of Diffie-Hellman. Additional Guidance DTR Appendix E Added new guidance for side channel analysis best practices Additional Guidance VQ Modifications and additions to reflect changes …
• H Added to support new requirements for key-loading devices and remote administration platforms.
Requirement DTR Module 4: Device Management Security Requirements Added to support new requirement for the lab to validate this information via documentation reviews.
Requirement DTR I1 Added stipulation that approval of delta submissions is contingent on evidence of an ongoing change control and vulnerability management process.
Requirement DTR Appendix A Updated Attack Costing Potential Formulas to reflect more granular approach for attack times and expertise Additional Guidance DTR Appendix B Added new appendix detailing equipment classification for physical attack costing purposes for use with Appendix A Additional Guidance DTR Appendix C Updated information on the configuration and use of the STS tool.
Additional Guidance DTR Appendix D Updated guidance on the use of Diffie-Hellman. Additional Guidance DTR Appendix E Added new guidance for side channel analysis best practices Additional Guidance VQ Modifications and additions to reflect changes …
Removed
p. 2
Requirement (Old) Moved to C1 Requirement SR A7 New requirement based on POI - Determination of any PCI-related cryptographic key resident in the device or used by the device, by penetration of the device and/or by monitoring emanations from the device (including power fluctuations), requires an attack potential of at least 35 for identification and initial exploitation with a minimum of 15 for exploitation Requirement (Old) Merged into requirement B7 Requirement SR B13 Modified to address both keys contained in or protected by the HSM and that the HSM does not permit key usage to be changed to allow keys to be used in a way they could not previously be used.
Removed
p. 3
Additional Guidance SR D1 Clarify that immediate re-certification is not required for changes which purely rectify errors and faults in software in order to make it function as intended and do not otherwise remove, modify, or add functionality.
Removed
p. 5
Additional Guidance DTR B13 Clarified that it also applies to derived and negotiated keys, and not just calculated (variants) keys Additional Guidance DTR B15 Updated to reflect new language in ISO 9564 Additional Guidance DTR B16 Added additional guidance for protection of audit log data Additional Guidance DTR B17 Added detailed guidance to address third party applications that are added to HSMs via use of vendor supplied software development toolkits Additional Guidance DTR B18 Further guidance that firmware and software running on the device shall be designed to run with minimal privilege.
Additional Guidance DTR B19 Added guidance that HSM uniqueness identifiers may include acceptable cryptographic methods Additional Guidance DTR C1 Updated to reflect new language in ISO 9564 Additional Guidance DTR C1 Added additional information to be included in the HSM security policy, including all configurations setting necessary to meet the security requirements and the device decommissioning procedures.
Requirement DTR Appendix …
Additional Guidance DTR B19 Added guidance that HSM uniqueness identifiers may include acceptable cryptographic methods Additional Guidance DTR C1 Updated to reflect new language in ISO 9564 Additional Guidance DTR C1 Added additional information to be included in the HSM security policy, including all configurations setting necessary to meet the security requirements and the device decommissioning procedures.
Requirement DTR Appendix …
Modified
p. 7 → 2
Requirement To reflect the addition modification, deletion or restructuring of requirements
Requirement Change To reflect the addition modification, deletion, or restructuring of requirements