Document Comparison
PCI_PTS_POI_SRs_v5.pdf
→
PCI_PTS_POI_SRs_v5-1.pdf
78% similar
61 → 62
Pages
16329 → 17174
Words
69
Content Changes
Content Changes
69 content changes. 76 administrative changes (dates, page numbers) hidden.
Added
p. 2
March 2018 5.1 Modified D1 and Appendix B and added K24 for new SCRP approval class. Errata.
Added
p. 4
• Non-PIN acceptance POI devices evaluated for account data protection
• Equipment Classification guidance for the equipment that is required to identify or exploit device vulnerabilities
• Side-Channel Analysis Standards
• Firmware Scoping Guidance
• A companion PCI PTS Questionnaire (where technical details of the device are provided)
• Added criteria for the new Secure Card Reader PIN (SCRP) approval class.
• Equipment Classification guidance for the equipment that is required to identify or exploit device vulnerabilities
• Side-Channel Analysis Standards
• Firmware Scoping Guidance
• A companion PCI PTS Questionnaire (where technical details of the device are provided)
• Added criteria for the new Secure Card Reader PIN (SCRP) approval class.
Added
p. 8
Publication Title Reference Retail Financial Services
• Requirements for Protection of Sensitive Payment Card Data Part 1: Using Encryption Methods Retail Financial Services
• Requirements for Protection of Sensitive Payment Card Data
• Requirements for Protection of Sensitive Payment Card Data Part 1: Using Encryption Methods Retail Financial Services
• Requirements for Protection of Sensitive Payment Card Data
Added
p. 16
• Environmental conditions
Added
p. 19
• The transaction is completed, or
SCRPs shall require an attack potential of at least 26 for identification and initial exploitation, with a minimum of 13 for exploitation.
SCRPs shall require an attack potential of at least 26 for identification and initial exploitation, with a minimum of 13 for exploitation.
Added
p. 36
K24 Secure enablement tokens are required from the SPoC monitor system for operation of the SCRP.
Added
p. 40
• Shipped and stored containing a secret that:
• Can be verified by the initial key-loading facility but cannot feasibly be determined by unauthorized personnel.
• Data on production and personalization
• Physical/chronological whereabouts
• Repair and maintenance
• Removal from operation
• Can be verified by the initial key-loading facility but cannot feasibly be determined by unauthorized personnel.
• Data on production and personalization
• Physical/chronological whereabouts
• Repair and maintenance
• Removal from operation
Added
p. 45
The SCRP column is used as an example of applicability for a specific POI approval class. In general, requirements applicable to SCRP are the same as SCR. However, by definition SCRPs will always handle the PIN, and those requirements will always be applicable, whereas an SCR will not necessarily handle the PIN.
SCRP includes all Core requirements except those specific to PIN entry, display prompt control, unattended usage, and use of magnetic-stripe readers. Note that unattended usage and magnetic-stripe reader requirements may still be applicable to SCRs, but SCRPs are not intended for those use cases.
This delineation is the expected applicability but should not be regarded as definitive. In all cases, device functionality determines applicability of requirements.
SCRP includes all Core requirements except those specific to PIN entry, display prompt control, unattended usage, and use of magnetic-stripe readers. Note that unattended usage and magnetic-stripe reader requirements may still be applicable to SCRs, but SCRPs are not intended for those use cases.
This delineation is the expected applicability but should not be regarded as definitive. In all cases, device functionality determines applicability of requirements.
Added
p. 46
A6 X Physical Security of Display Prompts A7 X If keypad that can be used to enter non-PIN data.
Added
p. 47
B19 X X X Component Integration Documentation B20 X X X X X X X X X X Additional Online Requirement C1 X Key Substitution Additional Offline Requirements POS Terminal Integration Requirements E1 X X X X X X X X Always applicable.
Configuration and Maintenance Security Module All X X X X X X X X X X All requirements applicable.
Secure Reading and Exchange of Data Module All requirements applicable except requirement K24, which is only applicable to SCRPs.
Authentication code See Password.
Check Value A computed value which is the result of passing a data value through a non- reversible algorithm. A value used to identify a key without revealing any bits of the actual key itself. Check values are computed by encrypting an all- zero block using the key or component as the encryption key, using the leftmost n-bits of the result; where n is at most 24 bits (6 …
Configuration and Maintenance Security Module All X X X X X X X X X X All requirements applicable.
Secure Reading and Exchange of Data Module All requirements applicable except requirement K24, which is only applicable to SCRPs.
Authentication code See Password.
Check Value A computed value which is the result of passing a data value through a non- reversible algorithm. A value used to identify a key without revealing any bits of the actual key itself. Check values are computed by encrypting an all- zero block using the key or component as the encryption key, using the leftmost n-bits of the result; where n is at most 24 bits (6 …
Added
p. 51
Commercial off-the- shelf (COTS) A mobile device (e.g., smartphone or tablet) that is designed for mass- market distribution and is not designed specifically for payment processing.
Added
p. 54
Key-distribution Host (KDH) A KDH is a processing platform used in conjunction with HSM(s) that generates keys and securely distributes those keys to the EPP or PED and the financial-transaction processing platform communicating with those EPPs/PEDs. A KDH may be an application that operates on the same platform that is used for PIN translation and financial-transaction processing. The KDH may be used in conjunction with other processing activities. A KDH shall not be used for certificate issuance and must not be used for the storage of CA private keys.
Monitoring System Monitors and provisions security controls to detect, alert, and mitigate suspected or actual threats and attacks against the SCRP, PIN CVM Application, and the COTS device Monitor Token A cryptographically signed value provided by the monitoring system to the SCRP and cryptographically authenticated by the SCRP to enable its operation for a period not to exceed ten minutes. The value …
Monitoring System Monitors and provisions security controls to detect, alert, and mitigate suspected or actual threats and attacks against the SCRP, PIN CVM Application, and the COTS device Monitor Token A cryptographically signed value provided by the monitoring system to the SCRP and cryptographically authenticated by the SCRP to enable its operation for a period not to exceed ten minutes. The value …
Added
p. 60
• A service keyboard (SK),
• A service display (SD), and
SPoC Software-based PIN Entry on Commercial off-the-shelf (COTS) Devices. A payment solution that encompasses the set of components and processes that support the entry of PIN data into a COTS device. At a minimum, this includes a SCRP, PIN CVM Application, and the back-end systems and environments that perform attestation, monitoring, and payment and online PIN processing.
• A service display (SD), and
SPoC Software-based PIN Entry on Commercial off-the-shelf (COTS) Devices. A payment solution that encompasses the set of components and processes that support the entry of PIN data into a COTS device. At a minimum, this includes a SCRP, PIN CVM Application, and the back-end systems and environments that perform attestation, monitoring, and payment and online PIN processing.
Modified
p. 1
Payment Card Industry (PCI) PIN Transaction Security (PTS) Point of Interaction (POI) Modular Security Requirements Version 5.0
Payment Card Industry (PCI) PIN Transaction Security (PTS) Point of Interaction (POI) Modular Security Requirements Version 5.1
Modified
p. 2
Note to Assessors When protecting this document for use as a form, leave Section 5 (Device Photos) unprotected to allow for insertion of a device-or component photos. Under “Tools / Protect Document,” select “Forms” then “Sections,” and un-check Section 5 as illustrated below.
Modified
p. 5 → 4
• PED or UPT POI devices: Complete terminals that can be provided to a merchant “as-is” to undertake PIN-related transactions. This includes attended and unattended POS PIN-acceptance devices.
Modified
p. 5 → 4
• Encrypting PIN pads that require integration into POS terminals or ATMs. Overall requirements for unattended PIN-acceptance devices currently apply only to POS devices and not to ATMs.
Modified
p. 5 → 4
• Secure components for POS terminals: These products also require integration into a final solution to provide PIN transactions. Examples are OEM PIN entry devices and secure (encrypting) card readers.
Modified
p. 5 → 4
• The addition of new appendices in the Derived Test Requirements for:
Modified
p. 5 → 4
• Greater granularity and robustness of the underlying PCI-recognized laboratory test procedures for compliance validation of a device to these requirements as detailed in the Derived Test Requirements.
Modified
p. 5 → 4
• Technical support documentation Upon successful compliance testing by the laboratory and approval by the PCI SSC, the PCI PTS POI device (or a secure component) will be listed on the PCI SSC website. Commercial information to be included in the Council’s approval must be provided by the vendor to the test laboratory using the forms in the “Evaluation Module Information” section of this document.
Modified
p. 6 → 5
• Enhancements to the information required to be presented in the user-available security policy addressing the proper use of the POI in a secure fashion.
Modified
p. 6 → 5
• The Physical Attack Costing Potential Formulas have been updated to reflect a more granular approach for attack times and expertise that more appropriately recognizes security enhancements.
Modified
p. 6 → 5
• Firmware scoping guidance has been added to deal with the increasing complexity of device designs to ensure the PTS evaluation scope includes any code that can be construed to be firmware.
Modified
p. 6 → 5
• Additional guidance has been added for ensuring that devices are resistant to side-channel-based attacks. Side-channel attacks are those based on analyzing emanations from a device, such as power consumption, for the determination of sensitive information.
Modified
p. 8 → 7
• In support of modular device architectures offered by POI device vendors. These architectures are the result of the integration of several modules (often offered by third parties) that may include partial PIN entry features.
Modified
p. 8 → 7
• Modular approvals, where a PIN entry device may be approved taking in consideration previously approved components.
Modified
p. 8 → 7
• Offering evaluation modules (modular evaluation packages) that potentially optimize evaluation costs and time when laboratories are reviewing non-conventional architectures, conduct modular approvals or maintain existing approvals (changes in security components, etc.).
Modified
p. 11 → 10
Dedicated for PIN entry only Stand-alone POS terminal UPT (Vending, AFD, Kiosk) Other Encrypting PIN pad (for ATM, Vending, AFD or Kiosk) Secure (encrypting) card reader Other secure component for PIN entry device Non-PED POI device Manufacturer*: Marketing Model Name/Number*:
Dedicated for PIN entry only Stand-alone POS terminal UPT (Vending, AFD, Kiosk) Other Encrypting PIN pad (for ATM, Vending, AFD or Kiosk) Secure (encrypting) card reader Secure (encrypting) card reader PIN Non-PED POI device Other secure component for PIN entry device Manufacturer*: Marketing Model Name/Number*:
Modified
p. 16 → 15
Management Device Management (Manufacturing and initial key loading) Life cycle requirements for POIs and their components up until the point of initial key loading. The information is not currently validated, but is still required for vendors to complete.
Management Device Management (Manufacturing and initial key loading) Life cycle requirements for POIs and their components up until the point of initial key loading. The information is not currently validated but is still required for vendors to complete.
Modified
p. 17 → 16
• Operational conditions (An example includes subjecting the device to temperatures or operating voltages outside the stated operating ranges.) A3 Sensitive functions or data are only used in the protected area(s) of the device. Sensitive data and functions dealing with sensitive data are protected from unauthorized modification without requiring an attack potential of at least 26 for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader, for identification and initial exploitationB.
Modified
p. 19 → 18
• The signing process is performed under dual control.
Modified
p. 19 → 18
• All executable files are signed.
Modified
p. 19 → 18
• Software is only signed using a secure cryptographic device provided by the terminal vendor.
Modified
p. 20 → 19
• The device has timed out waiting for the response from the cardholder or merchant.
Modified
p. 20 → 19
B7 Access to sensitive services requires authentication. Sensitive services provide access to the underlying sensitive functions. Sensitive functions are those functions that process sensitive data such as cryptographic keys, PINs, and passwords. Entering or exiting sensitive services shall not reveal or otherwise affect sensitive data.
B7 Access to sensitive services requires authentication. Sensitive services provide access to the underlying sensitive functions. Sensitive functions are those functions that process sensitive data such as cryptographic keys, PINs, and passwords/authentication codes. Entering or exiting sensitive services shall not reveal or otherwise affect sensitive data.
Modified
p. 21 → 20
B19 The vendor must provide adequate documented security guidance for the integration of any secure component into a PIN entry POI terminal.
B19 The vendor must provide adequate documented security guidance for the integration of any secure component into a POI terminal.
Modified
p. 23 → 22
• An enciphered PIN, the PIN block shall be enciphered between the device encrypting the PIN and the ICC reader using either an authenticated encipherment key of the IC card, or in accordance with ISO 9564.
Modified
p. 23 → 22
• A plaintext PIN, the PIN block shall be enciphered from the device encrypting the PIN to the ICC reader (the ICC reader will then decipher the PIN for transmission in plaintext to the IC card) in accordance with ISO 9564.
Modified
p. 23 → 22
• An enciphered PIN, the PIN block shall be enciphered using an authenticated encipherment key of the IC card.
Modified
p. 23 → 22
• A plaintext PIN, then encipherment is not required if the PIN block is transmitted wholly through a protected environment (as defined in ISO 9564). If the plaintext PIN is transmitted to the ICC reader through an unprotected environment, the PIN block shall be enciphered in accordance with ISO 9564.
Modified
p. 24 → 23
However, it also allows the re-use of previously approved individual components or their combinations (card readers, display, keypads, or secure processors) into the approval process of integrated PIN entry devices.
Modified
p. 24 → 23
The POS Terminal Integration Evaluation Module ensures that the integration of previously approved components does not impair the overall security as stated in the security requirements. This module also supports the cost effective maintenance of components.
The POS Terminal Integration Evaluation Module ensures that the integration of previously approved components does not impair the overall security as stated in the security requirements. This module also supports the cost-effective maintenance of components.
Modified
p. 34 → 33
K1.1 The device protects all account data upon entry (consistent with A9 for magnetic stripe data and D1 for Chip data), and there is no method of accessing the clear-text account data (using methods described in A1) without defeating the security of the device. Defeating or circumventing the security mechanism requires an attack potential of at least 16 for identification and initial exploitation, with a minimum of 8 for exploitationI.
K1.1 The device protects all account data upon entry (consistent with A8 for magnetic stripe data and D1 for Chip data), and there is no method of accessing the clear-text account data (using methods described in A1) without defeating the security of the device. Defeating or circumventing the security mechanism requires an attack potential of at least 16 for identification and initial exploitation, with a minimum of 8 for exploitationI.
Modified
p. 35 → 34
• That it is not possible for applications to be influenced by logical anomalies which could result in clear-text data being outputted whilst the terminal is in encrypting mode.
Modified
p. 35 → 34
• That account data is not retained any longer, or used more often, than strictly necessary.
Modified
p. 36 → 35
K19 Environmental or operational conditions cannot be altered to compromise the security of the device, or cause the device to output clear-text account data.
K19 Environmental or operational conditions cannot be altered to compromise the security of the device or cause the device to output clear-text account data.
Modified
p. 37 → 36
• The operating system of the device must contain only the software (components and services) necessary for the intended operation.
Modified
p. 37 → 36
• The operating system must be configured securely and run with least privilege.
Modified
p. 37 → 36
• The security policy enforced by the device must not allow unauthorized or unnecessary functions.
Modified
p. 37 → 36
• API functionality and commands that are not required to support specific functionality must be disabled (and where possible, removed).
Modified
p. 37 → 36
K22 Access to sensitive services requires authentication. Sensitive services provide access to the underlying sensitive functions. Sensitive functions are those functions that process sensitive data such as cryptographic keys, account data, and passwords. Entering or exiting sensitive services shall not reveal or otherwise affect sensitive data.
K22 Access to sensitive services requires authentication. Sensitive services provide access to the underlying sensitive functions. Sensitive functions are those functions that process sensitive data such as cryptographic keys, account data, and passwords/authentication codes. Entering or exiting sensitive services shall not reveal or otherwise affect sensitive data.
Modified
p. 38 → 37
Note: In the following requirements, the device under evaluation is referred to as the “device.” The device manufacturer, subject to PCI payment brand site inspections, confirms the following. The PCI test laboratories will validate this information via documentation reviews, and by means of evidence that procedures are properly implemented and used. Any variances to these requirements will be reported to PCI for review. Site inspections shall not begin until subsequent to the publication of POI v5.
Note: In the following requirements, the device under evaluation is referred to as the “device.” The device manufacturer, subject to PCI payment brand site inspections, confirms the following. The PCI test laboratories will validate this information via documentation reviews, and by means of evidence that procedures are properly implemented and used. Any variances to these requirements will be reported to PCI for review.
Modified
p. 40 → 39
Note: In the following requirements, the device under evaluation is referred to as the “device.” The device manufacturer, subject to PCI payment brand site inspections, confirms the following. The PCI test laboratories will validate this information via documentation reviews and by means of evidence that procedures are properly implemented and used. Any variances to these requirements will be reported to PCI for review. Site inspections shall not begin until subsequent to the publication of POI v5.
Note: In the following requirements, the device under evaluation is referred to as the “device.” The device manufacturer, subject to PCI payment brand site inspections, confirms the following. The PCI test laboratories will validate this information via documentation reviews and by means of evidence that procedures are properly implemented and used. Any variances to these requirements will be reported to PCI for review.
Modified
p. 41 → 40
• Shipped and stored in tamper-evident packaging; and/or
Modified
p. 41 → 40
• Is immediately and automatically erased if any physical or functional alteration to the device is attempted, and
Modified
p. 45 → 44
Card Reader This functionality applies whenever a device under evaluation has the capability to capture card data, irrespective of the technology being used (i.e., it encompasses both the magnetic stripe and smart card readers). This is further broken down into ICCR and MSR functionality.
Card Reader This functionality applies whenever a device under evaluation has the capability to capture card data, irrespective of the technology being usedi.e., it encompasses contactless, magnetic-stripe, and smart card readers. This is further broken down into CTLS, ICCR, and MSR functionality.
Removed
p. 46
Requirement Feedback to cardholder Device is a Implements TCP/IP stack account data Conditions Core Requirements Modules Core Physical Security Requirements A7 X If keypad that can be used to enter non-PIN data.
Modified
p. 46 → 45
For compound devices, it is possible that these requirements are met or exceeded by the relevant module(s), if the corresponding requirements are fully covered; however it remains up to the testing house’s judgment to evaluate on a case-by-case basis whether supplementary testing is required.
For compound devices, it is possible that these requirements are met or exceeded by the relevant module(s), if the corresponding requirements are fully covered; however, it remains up to the testing house’s judgment to evaluate on a case-by-case basis whether supplementary testing is required.
Removed
p. 50
Check Value A computed value which is the result of passing a data value through a non- reversible algorithm. Check values are generally calculated using a cryptographic transformation, which takes as input a secret key and an arbitrary string and gives a cryptographic check value as output. The computation of a correct check value without knowledge of the secret key shall not be feasible. Check values shall not allow the determination of the secret key.
Modified
p. 51
DTR Derived Test Requirement DUKPT Derived Unique Key Per Transaction: A key-management method that uses a unique key for each transaction, and prevents the disclosure of any past key used by the transaction originating TRSM. The unique transaction keys are derived from a base-derivation key using only non-secret data transmitted as part of each transaction.
DTR Derived Test Requirement DUKPT Derived Unique Key Per Transaction: A key-management method that uses a unique key for each transaction and prevents the disclosure of any past key used by the transaction originating TRSM. The unique transaction keys are derived from a base-derivation key using only non-secret data transmitted as part of each transaction.
Modified
p. 53
• Holds one or more professional credentials applicable to the field, e.g., doctoral-level qualifications in a relevant discipline or government certification in cryptography by an authoritative body (e.g., NSA).
Modified
p. 53
• Has published extensively in peer-reviewed publications on the relevant subject.
Modified
p. 53
• Has years of experience in the relevant subject.
Modified
p. 53
• Is recognized by his/her peers in the field (e.g., awarded the Fellow or Distinguished Fellow or similar professional recognition by an appropriate body, e.g., ACM, BCS, IEEE, IET, IACR).
Modified
p. 53
• Subscribes to an ethical code of conduct and would be subject to an ethics compliance process if warranted.
Modified
p. 58 → 59
SCRP Secure Card Reader PIN. An approval class as defined in the PTS POI Device Testing and Approval Guide Secure Components (for POI Terminals) Products which incorporate security mechanisms for PIN and account data handling and processing, and require integration into a complete terminal, such as OEM PIN entry devices and IC card readers.
Modified
p. 59 → 60
• A service data exchange support (SDE), which may consist of a card reader, a floppy disk drive, a USB interface or the like.
Modified
p. 59 → 60
SK Session key Split Knowledge A condition under which two or more entities separately have key components that individually convey no knowledge of the resultant cryptographic key.
SK Session key Split Knowledge A condition under which two or more entities separately have information (e.g., key components) that individually convey no knowledge of the resultant combined information (e.g., a cryptographic key).