Document Comparison
PCI_PIN_Security_Rqrmts_Modifications_v3_Summary_of_Changes_Aug2018.pdf
→
PIN_Security_Rqrmts_Modifications_v3.1_-_Summary_of_Changes.pdf
12% similar
9 → 4
Pages
2284 → 642
Words
18
Content Changes
Content Changes
18 content changes. 10 administrative changes (dates, page numbers) hidden.
Added
p. 2
Within that same document:
Requirement Section(s) Modification Overview ISO PIN Block Format 4 support dates are suspended until further notice.
Technical Reference Modified ANSI and NIST references.
Normative Annex A Added ANSI TR-34 information.
Normative Annex B Added additional language to clarify remote key loading.
Normative Annex C Updated wording throughout.
Transaction Processing Operations Normative Annex B Added reference to FIPS 140-3 Clarified for PCI approved HSMs that the approval may be contingent on being deployed in controlled environments or more robust (e.g., secure) environments as defined in ISO 13491-2 and in the device’s PCI HSM Security Policy.
Requirement Section(s) Modification Overview ISO PIN Block Format 4 support dates are suspended until further notice.
Technical Reference Modified ANSI and NIST references.
Normative Annex A Added ANSI TR-34 information.
Normative Annex B Added additional language to clarify remote key loading.
Normative Annex C Updated wording throughout.
Transaction Processing Operations Normative Annex B Added reference to FIPS 140-3 Clarified for PCI approved HSMs that the approval may be contingent on being deployed in controlled environments or more robust (e.g., secure) environments as defined in ISO 13491-2 and in the device’s PCI HSM Security Policy.
Added
p. 4
Normative Annex B Aligned encrypted key loading dates with previously issued PCI bulletin which deferred the implementation dates three years and the applicability changed from POI v3 and higher devices to POI v5 and higher devices.
Removed
p. 1
PCI SSC Modifications
• Summary of Significant Changes from v2.0 to v3.0
• Summary of Significant Changes from v2.0 to v3.0
Modified
p. 1
Payment Card Industry (PCI) PIN Security Requirements
Payment Card Industry (PCI) PIN Security Requirements Summary of Requirements Changes from v3.0 to v3.1
Removed
p. 2
Requirement Section(s) Modification General Overview Main body of requirements now delineated as “Transaction Processing Operations” to clarify scope as pertaining to the acquiring and related processing of PIN-based transactions.
Clarified that entities may be subject to requirements in multiple sections, depending on the activities performed.
Clarified where vendor-controlled secret and private keys are subject to review under Annexes A and/or B.
Clarified consideration of MAC and account data encryption keys.
Added criteria to facilitate reviews that all entities subject to these requirements must maintain a summary listing of the cryptographic keys used, including identification of the algorithm (e.g., AES, TDEA, RSA) used and key size (e.g., 128, 2048) for each key type for activities in which they engage, whether for:
• Transaction Processing Operations
• Symmetric Key Distribution Using Asymmetric Techniques
• Key-Injection Facilities Additionally, entities engaged in the processing of PIN-based transactions must construct a network schematic detailing transaction flows with the associated key usage.
Clarified that entities may be subject to requirements in multiple sections, depending on the activities performed.
Clarified where vendor-controlled secret and private keys are subject to review under Annexes A and/or B.
Clarified consideration of MAC and account data encryption keys.
Added criteria to facilitate reviews that all entities subject to these requirements must maintain a summary listing of the cryptographic keys used, including identification of the algorithm (e.g., AES, TDEA, RSA) used and key size (e.g., 128, 2048) for each key type for activities in which they engage, whether for:
• Transaction Processing Operations
• Symmetric Key Distribution Using Asymmetric Techniques
• Key-Injection Facilities Additionally, entities engaged in the processing of PIN-based transactions must construct a network schematic detailing transaction flows with the associated key usage.
Modified
p. 2
• Normative Annex A applies to specific requirements pertaining to acquiring entities involved in the implementation of symmetric key distribution using asymmetric keys (remote key distribution) or those entities involved in the operation of Certification and Registration Authorities for such purposes.
• Normative Annex A applies to specific requirements pertaining to acquiring entities involved in the implementation of symmetric-key distribution using asymmetric keys (remote key distribution) or those entities involved in the operation of Certification and Registration Authorities for such purposes.
Removed
p. 3
• Effective 1 January 2023: Fixed key for TDES PIN encryption in POI devices is disallowed.
• Effective 1 January 2023: Fixed key for TDES PIN encryption in host to host connections is disallowed.
Added effective dates for support of ISO PIN block format 4. Specifically:
• Effective 1 January 2023: All hosts must support ISO PIN block format ISO 4 decryption.
• Effective 1 January 2025: All hosts must support ISO PIN block format 4 encryption.
Technical Reference Updated Technical References to add ANSI X9.24-3 and ANSI TR34.
Transaction Processing Operations Normative Annex A Normative Annex B Added test procedures for all requirements.
Clarified usage of term “secure room.” Normative Annex A Clarified that the Annex applies for the distribution of acquirer keys to transaction-originating devices (POIs) for use in connection with PIN encryption, whether the actual distribution of acquirer keys occurs from the transaction processing host or is distributed directly by the vendor. Cited ANSI …
• Effective 1 January 2023: Fixed key for TDES PIN encryption in host to host connections is disallowed.
Added effective dates for support of ISO PIN block format 4. Specifically:
• Effective 1 January 2023: All hosts must support ISO PIN block format ISO 4 decryption.
• Effective 1 January 2025: All hosts must support ISO PIN block format 4 encryption.
Technical Reference Updated Technical References to add ANSI X9.24-3 and ANSI TR34.
Transaction Processing Operations Normative Annex A Normative Annex B Added test procedures for all requirements.
Clarified usage of term “secure room.” Normative Annex A Clarified that the Annex applies for the distribution of acquirer keys to transaction-originating devices (POIs) for use in connection with PIN encryption, whether the actual distribution of acquirer keys occurs from the transaction processing host or is distributed directly by the vendor. Cited ANSI …
Modified
p. 3 → 2
Appendix A Added matrix to delineate the applicability of requirements by business activity.
Appendix A Updated applicability of requirements.
Removed
p. 4
Clarified that equipment used for the generation of clear-text key components must be inspected for signs of tampering prior to the initialization of key-generation activities.
Clarified that multi-use/purpose computing systems shall not be used for key generation where any clear-text secret or private key or component thereof appears in unprotected memory outside the tamper-protected boundary of an SCD.
Clarified that dedicated computers using an SCD meeting Requirement 5.1 may be used for key generation.
Clarified that printers used for printing key components must not be networked.
Clarified that multi-use/purpose computing systems shall not be used for key generation where any clear-text secret or private key or component thereof appears in unprotected memory outside the tamper-protected boundary of an SCD.
Clarified that dedicated computers using an SCD meeting Requirement 5.1 may be used for key generation.
Clarified that printers used for printing key components must not be networked.
Removed
p. 5
Added requirement that printers used for printing key components must be managed under dual control, including use of a secure room.
Clarified that requirement for policies and procedures to exist to prohibit keys or their components from being transmitted across insecure channels applies to clear-text secret and private keys and their components.
Clarified that requirement for policies and procedures to exist to prohibit keys or their components from being transmitted across insecure channels applies to clear-text secret and private keys and their components.
Removed
p. 5
Clarified that self-signed root certificates protect the integrity of the data within the certificate but do not guarantee the authenticity of the data.
Clarified that key-compromise process involves both a documented analysis and confirmation.
Added requirement for when components or shares of multiple keys are being sent simultaneously between the same sending and receiving custodians.
Clarified that key-compromise process involves both a documented analysis and confirmation.
Added requirement for when components or shares of multiple keys are being sent simultaneously between the same sending and receiving custodians.
Removed
p. 6
Clarified that for devices that do not support two or more passwords/authentication codes, each half of the split password/authentication code must still be at least five characters.
Clarified that passwords/authentication codes to the same object may be assigned to a custodian group team e.g., custodian team for component A.
Clarified that passwords/authentication codes to the same object may be assigned to a custodian group team e.g., custodian team for component A.
Removed
p. 6
• Effective 1 January 2021, entities engaged in key loading on behalf of others shall not be allowed to use PC-based key-loading methodologies where clear-text secret and/or private keying material appears in the clear in unprotected memory outside the secure boundary of an SCD.
• Effective 1 January 2023, entities only performing key loading for devices for which they are the processor shall no longer have this option.
• Effective 1 January 2023, entities only performing key loading for devices for which they are the processor shall no longer have this option.
Removed
p. 7
Modified and extended implementation date for managing encrypted symmetric keys as key blocks. New dates are divided into three phases.
Removed
p. 7
Added requirement for usage of certificates in conjunction with remote key-distribution functions. Specifically:
• Certificates associated with encryption for remote key- distribution functions must not be used for any other purpose.
• Certificates associated with authentication of the KDH must not be used for any other purpose.
• Certificates associated with authentication of the POI must not be used for any other purpose.
• Certificates associated with authentication of POI firmware and POI applications must not be used for any other purpose.
• Certificates associated with encryption for remote key- distribution functions must not be used for any other purpose.
• Certificates associated with authentication of the KDH must not be used for any other purpose.
• Certificates associated with authentication of the POI must not be used for any other purpose.
• Certificates associated with authentication of POI firmware and POI applications must not be used for any other purpose.
Removed
p. 8
Clarified where requirements apply to CAs operated online.
Removed
p. 8
Clarified that chain of custody includes procedures, as stated in Requirement 29-1, to ensure that access to all POI devices and other SCDs is documented, defined, logged, and controlled such that unauthorized individuals cannot access, modify, or substitute any device without detection.
Added an option for implementing physical protection of devices from the manufacturer’s facility up to the point of key- insertion and deployment.
Added requirement for existence of documentation of HSM configuration settings.
Added an option for implementing physical protection of devices from the manufacturer’s facility up to the point of key- insertion and deployment.
Added requirement for existence of documentation of HSM configuration settings.
Removed
p. 9
• Effective 1 January 2021, the injection of clear-text secret or private keying material shall not be allowed for entities engaged in key injection on behalf of others. Only encrypted key injection shall be allowed for POI v3 and higher devices.
• Effective 1 January 2023, the same restriction applies to entities engaged in key injection of devices for which they are the processors.
This does not apply to key components entered into the keypad of a secure cryptographic device, such as a device approved against the PCI PTS POI Security Requirements. It does apply to all other methods of loading of clear-text keying material for POI v3 and higher devices.
Added requirements for the retention of CCTV images.
• Effective 1 January 2023, the same restriction applies to entities engaged in key injection of devices for which they are the processors.
This does not apply to key components entered into the keypad of a secure cryptographic device, such as a device approved against the PCI PTS POI Security Requirements. It does apply to all other methods of loading of clear-text keying material for POI v3 and higher devices.
Added requirements for the retention of CCTV images.