PCI Watch

Tracking changes across the Payment Card Industry

Document Comparison

PCI_PTS_POI_VQ_v4-1a_Sept_2015.pdf PCI_PTS_POI_VQ_v5_Sept_2016.pdf
72% similar
126 → 129 Pages
19064 → 21052 Words
170 Content Changes

Content Changes

170 content changes. 62 administrative changes (dates, page numbers) hidden.

Added p. 2
June 2016 5.x RFC version

September 2016 5.0 Public release Note to Assessors When protecting this document for use as a form, leave Sections 5 and 7 (Annex B and “Device Diagrams”) unprotected to allow for insertion of appropriate diagrams and reports. Under “Tools / Protect Document,” select “Forms” then “Sections,” and un-check Sections 5 and 7 as illustrated below.
Added p. 4
• Message Authentication Codes (MACs)

• Part 1: Mechanisms using a block cipher ISO 9797-1 Banking

• Key Management (Retail) ISO 11568 Banking

• Secure Cryptographic Devices (Retail) ISO 13491 Financial services -- Requirements for message authentication using symmetric techniques Information Technology

• Encryption algorithms

• Encryption algorithms

• Part 1: General ISO/IEC 18033-1 Information technology -- Security techniques -- Encryption algorithms -- Part 3: Block ciphers ISO/IEC 18033-3 Information Technology

• Part 5: Identity Based Ciphers ISO/IEC 18033-5 Guidelines on Triple DES Modes of Operation. ISO TR 19038 Guideline for Implementing Cryptography In the Federal Government NIST SP 800-21 A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications NIST SP 800-22 Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication NIST SP 800-38B Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher NIST SP 800-67 Recommendation for Random Number Generation Using Deterministic Random Bit Generators NIST SP 800-90A …
Added p. 12
 How encrypted values copied using physical access from one memory location to another are ensured to decrypt to values that do not reveal information about the original values and cannot be used to modify memory contents in a controlled manner.
Added p. 27
How application updates are differentiated from firmware updates.
Added p. 37
How this is enforced.
Added p. 37
The circumstances under which such data may be erased.
Added p. 38
 Whether the correctness of the message structure is tested by the receiver.

 For the algorithm(s) used, the key size(s) used as denoted in Appendix E of the DTRs.
Added p. 41
# If the answer to B13 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Added p. 42
What data can be encrypted using private keys.
Added p. 57
# If the answer to E3.3 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Added p. 63
Interface Name Reference 2 Each protocol and service available for each of the listed interfaces above.=.

Library Version/Protocol Name Interfaces on which it is used Reference How each of the above interfaces is configured to accept commands.
Added p. 67
Section H1 In accordance with H1 of the PCI PTS POI Modular Security Requirements, use the table below to detail the security guidance documentation describing how protocols and interfaces must be used for each interface that is accessible by the device applications.

Interface/Protocol Security Guidance Documentation Guidance Audience
Added p. 72
# If the answer to J1 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Added p. 76
For ICC-Based Entry # If the answer to K1.1 in the PCI PTS POI Modular Security Requirements was “YES,” describe:

Section K1.1, continued For Magnetic-Stripe Entry # If the answer to K1.1 in the PCI PTS POI Modular Security Requirements was “YES,” describe:

Section K1.1, continued For Manual PAN Key Entry # If the answer to K1.1 in the PCI PTS POI Modular Security Requirements was “YES,” describe:

For Contactless # If the answer to K1.1 in the PCI PTS POI Modular Security Requirements was “YES,” describe:

Section K1.1, continued For Tamper-Detection Mechanisms # If the answer to K1.1 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Added p. 92
# If the answer to K12 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Added p. 100
Any other data that may be erased along with the cryptographic keys.
Added p. 101
 For the algorithm(s) used, the key size(s) used as denoted in Appendix E of the DTRs..
Added p. 117
DTR TA1.12 For each tamper switch used in the POI, complete the details indicated in the table below, at a minimum.
Added p. 120
Cryptographic key Method of loading per TB7.7 Authentication
Added p. 121
Key Name Purpose/ Size (Bits) Form Factor Available Key Slots (Registers) Unique per device/ acquirer/ vendor- specific/ other (describe) How the key is identified by the device so that it is used only as
Added p. 126
Processing/Application or Firmware Element Elements Used to Perform Authentication Algorithms and Key Sizes Used for Firmware Authentication Format of Authentication Process Performed if Authentication Use the table below to detail the environmental-protection features implemented by the POI.
Modified p. 1
Payment Card Industry (PCI) PIN Transaction Security (PTS) Point of Interaction (POI) Modular Evaluation Vendor Questionnaire Version 4.1a
Payment Card Industry (PCI) PIN Transaction Security (PTS) Point of Interaction (POI) Modular Evaluation Vendor Questionnaire Version 5.0
Modified p. 2
June 2015 4.1 Updates for errata and new core section J
June 2015 4.1 Updates for errata and new core section J. Added Device Management
Removed p. 4
PCI DSS Wireless Guidelines PCI SSC

PCI PTS POI Security Requirements PCI SSC

PCI PTS POI DTRs PCI SSC
Modified p. 6 → 7
Section A1 If the answer to A1 in the PCI PTS POI Security Requirements was “YES,” describe:
Section A1 # If the answer to A1 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 8 → 10
Section A2 If the answer to A2 in the PCI PTS POI Security Requirements was “YES,” describe:
Section A2 # If the answer to A2 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Removed p. 9
Section A3 If the answer to A3 in the PCI PTS POI Security Requirements was “YES,” describe:
Modified p. 10 → 11
Section A4 If the answer to A4 in the PCI PTS POI Security Requirements was “YES,” describe:
Section A3 # If the answer to A3 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 10 → 11
 How modification of the sensitive information is prevented after signature validation
 How modification of the sensitive information is prevented after signature validation.
Removed p. 11
 How this prevents the re-location of memory from one area to another.
Modified p. 11 → 12
 How the method of encryption prevents the exposure of sensitive information through building of a “dictionary” (i.e., look-up table) of possible encrypted values.
 How the method of encryption prevents the exposure of sensitive information through building of a “dictionary” (i.e., look-up table) of possible encrypted values by writing known plaintext values via logical access and reading out ciphertext values via physical access.
Modified p. 11 → 12
 The different ways in which the element may be programmed or configured  Any in-circuit testing or debugging features provided by these elements  The methods implemented to disable the programming/testing features 11 Whether applications and/or firmware are executed on the same processor that stores or operates on plaintext passwords, PINs, or public keys.
 The different ways in which the element may be programmed or configured  Any in-circuit testing or debugging features provided by these elements  The methods implemented to disable the programming/testing features.
Removed p. 12
Section A4, continued
Modified p. 13 → 14
Section A5 If the answer to A5 in the PCI PTS POI Security Requirements was “YES,” describe:
Section A4 # If the answer to A4 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 14 → 15
Section A6 If the answer to A6 in the PCI PTS POI Security Requirements was “YES,” describe:
Section A5 # If the answer to A5 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 16
Section A7 If the answer to A7 in the PCI PTS POI Security Requirements was “YES,” describe:
Section A6 # If the answer to A6 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 17
Section A8 If the answer to A8 in the PCI PTS POI Security Requirements was “YES,” describe:
Section A7 # If the answer to A7 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 18
Section A9 If the answer to A9 in the PCI PTS POI Security Requirements was “YES,” describe:
Section A8 # If the answer to A8 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 18
 The integrated circuit used to provide the encryption and any physical protections provided  The algorithm, mode of operation, and key management used  How the cryptographic keys are loaded and, if keys can be updated, how this occurs  The method used to generate these keys and how this achieves unique key(s) per device 3 Describe any physical protections that are implemented to protect the path from the read head to the security processor, including all intervening elements.
 The integrated circuit used to provide the encryption and any physical protections provided  The algorithm, mode of operation, and key management used  How the cryptographic keys are loaded and, if keys can be updated, how this occurs  The method used to generate these keys and how this achieves unique key(s) per device 4 Describe any physical protections that are implemented to protect the path from the read head to the security processor, including all intervening elements.
Modified p. 19
Section A10 If the answer to A10 in the PCI PTS POI Security Requirements was “YES,” describe:
Section A9 # If the answer to A9 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 20
Section A11 If the answer to A11 in the PCI PTS POI Security Requirements was “YES,” describe:
Section A10 # If the answer to A10 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 21
Section B1 If the answer to B1 in the PCI PTS POI Security Requirements was “YES,” describe:
Section B1 # If the answer to B1 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 22 → 23
Section B2 If the answer to B2 in the PCI PTS POI Security Requirements was “YES,” describe:
Section B2 # If the answer to B2 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Removed p. 23
Section B2, continued
Modified p. 24 → 25
Section B3 If the answer to B3 in the PCI PTS POI Security Requirements was “YES,” describe:
Section B3 # If the answer to B3 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 25 → 26
Section B4 If the answer to B4 in the PCI PTS POI Security Requirements was “YES,” describe:
Section B4 # If the answer to B4 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 26 → 27
Section B4.1 If the answer to B4.1 in the PCI PTS POI Security Requirements was “YES,” describe:
Section B4.1 # If the answer to B4.1 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 27 → 28
Section B4.2 If the answer to B4.2 in the PCI PTS POI Security Requirements was “YES,” describe:
Section B4.2 # If the answer to B4.2 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 28 → 29
Section B5 If the answer to B5 in the PCI PTS POI PED Security Requirements was “YES,” describe:
Section B5 # If the answer to B5 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 29 → 30
Section B6 If the answer to B6 in the PCI PTS POI Security Requirements was “YES,” describe:
Section B6 # If the answer to B6 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 30 → 31
Section B7 If the answer to B7 in the PCI PTS POI Security Requirements was “YES,” describe:
Section B7 # If the answer to B7 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 32 → 33
Section B8 If the answer to B8 in the PCI PTS POI Security Requirements was “YES,” describe:
Section B8 # If the answer to B8 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 33 → 35
Section B9 If the answer to B9 in the PCI PTS POI Security Requirements was “YES,” describe:
Section B9 # If the answer to B9 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 33 → 36
Section B10 If the answer to B10 in the PCI PTS POI Security Requirements was “YES,” describe:
Section B10 # If the answer to B10 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Removed p. 34
 Key size  Associated cryptographic algorithm  The data that may be encrypted under the key  The number of instances or registers for that key type  How the key is identified by the device so that it is used only as 7 Whether the device has the ability to erase cryptographic keys.
Modified p. 34 → 37
Section B11 If the answer to B11 in the PCI PTS POI Security Requirements was “YES,” describe:
Section B11 # If the answer to B11 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Removed p. 35
Section B11, continued 11 What other data are erased?

Under what circumstances?
Modified p. 35 → 38
 The technique utilizes a random/pseudo-random key-generation process such that it is not possible to predict any key or determine that certain keys within the key space are significantly more probable than others?
 The technique utilizes a random/pseudo-random key-generation process such that it is not possible to predict any key or determine that certain keys within the key space are significantly more probable than others.
Modified p. 35 → 38
Yes No N/A  Is the random source tested in a suitable manner before key generation?
Yes No N/A  Is the random source tested in a suitable manner before key generation.
Modified p. 35 → 38
 How is the authenticity of public keys ensured?
 How is the authenticity of public keys ensured.
Modified p. 35 → 38
 Is there a certificate hierarchy? Yes No  How are certificates (signed public keys of the key-exchange partners) generated, i.e., who signs?
 Is there a certificate hierarchy. Yes No  How certificates (signed public keys of the key-exchange partners) are generated; i.e., who signs.
Modified p. 35 → 38
Is there mutual device authentication? Yes No  If certificates are used, how are they tested and accepted or rejected?
Whether there is mutual device authentication. Yes No  If certificates are used, how they are tested and accepted or rejected.
Modified p. 35 → 38
Is there a secure formatting and padding of the message used containing the symmetric secret key?
Whether there is a secure formatting and padding of the message used containing the symmetric secret key.
Modified p. 36 → 38
What is the reaction of the device if an authenticity test fails?
The reaction of the device if an authenticity test fails,.
Modified p. 36 → 38
Which effective key length(s) is/are utilized for all the cryptographic algorithm(s) in question?
The effective key length(s) that is/are utilized for all the cryptographic algorithm(s) in question.
Modified p. 36 → 38
Is the chosen key length appropriate for the algorithm and its protection purpose?  If RSA is used, is the key length at least 2048 bit? Yes No 16 The hashing algorithm(s) that are used.
Whether the chosen key length is appropriate for the algorithm and its protection purpose.
Modified p. 37 → 40
Section B12 If the answer to B12 in the PCI PTS POI Security Requirements was “YES,” describe:
Section B12 # If the answer to B12 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 39 → 43
Section B14 If the answer to B14 in the PCI PTS POI Security Requirements was “YES,” describe:
Section B14 # If the answer to B14 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 40 → 44
Section B15 If the answer to B15 in the PCI POS PED Security Requirements was “YES,” describe:
Section B15 # If the answer to B15 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 41 → 45
Section B16 If the answer to B16 in the PCI PTS POI Security Requirements was “YES,” describe:
Section B16 # If the answer to B16 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 41 → 45
Is the chosen key length appropriate for the algorithm and its protection purpose? If “YES,” state why this is the case.
How the chosen key length is appropriate for the algorithm and its protection purpose.
Modified p. 43 → 47
Section B17 If the answer to B17 in the PCI PTS POI Security Requirements was “YES,” describe:
Section B17 # If the answer to B17 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 44 → 48
Section B18 If the answer to B18 in the PCI PTS POI Security Requirements was “YES,” describe:
Section B18 # If the answer to B18 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 45 → 49
Section B19 If the answer to B19 in the PCI PTS POI Security Requirements was “YES,” describe:
Section B19 # If the answer to B19 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 46 → 49
Section B20 If the answer to B20 in the PCI PTS POI Security Requirements was “YES,” describe:
Section B20 # If the answer to B11 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 47 → 50
Section C1 If the answer to C1 in the PCI PTS POI Security Requirements was “YES,” describe:
Section C1 # If the answer to C1 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 48 → 51
Section D1 If the answer to D1 in the PCI PTS POI Security Requirements was “YES,” describe:
Section D1 # If the answer to D1 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 50 → 53
Section D2 If the answer to D2 in the PCI PTS POI Security Requirements was “YES,” describe:
Section D2 # If the answer to D2 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 50 → 53
Section D3 If the answer to D3 in the PCI PTS POI Security Requirements was “YES,” describe:
Section D3 # If the answer to D3 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 51 → 54
Section D4 If the answer to D4 in the PCI PTS POI Security Requirements was “YES,” describe:
Section D4 # If the answer to D4 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 52 → 55
Section E1 If the answer to E1 in the PCI PTS POI Security Requirements was “YES,” describe:
Section E1 # If the answer to E1 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 52 → 55
Section E2.1 If the answer to E2.1 in the PCI PTS POI Security Requirements was “YES,” describe:
Section E2.1 # If the answer to E2.1 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 53 → 56
Section E2.2 If the answer to E2.2 in the PCI PTS POI Security Requirements was “YES,” describe:
Section E2.2 # If the answer to E2.2 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 61 → 62
• Open Protocols Platform Description 1 Describe, or refer to a description of, the different models that currently use the platform. Provide information about the differences between the different models. Indicate for each model all the communication channels, possible peripherals, intended use.
• Open Protocols Platform Description # Desription 1 Describe, or refer to a description of, the different models that currently use the platform. Provide information about the differences between the different models. Indicate for each model all the communication channels, possible peripherals, intended use.
Modified p. 62 → 63
Section F1 If the answer to F1 in the PCI PTS POI Security Requirements was “YES,” describe:
Section F1 # If the answer to F1 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 63 → 64
Section G1 If the answer to G1 in the PCI PTS POI Security Requirements was “YES,” describe:
Section G1 # If the answer to G1 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 64 → 65
Section G2 If the answer to G2 in the PCI PTS POI Security Requirements was “YES,” describe:
Section G2 # If the answer to G2 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 65 → 66
Section G3 If the answer to G3 in the PCI PTS POI Security Requirements was “YES,” describe:
Section G3 # If the answer to G3 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 65 → 66
The vendor’s timely creation of mitigation measures for newly found vulnerabilities and that procedures exist to continually update and document all vulnerabilities.
The vendor’s timely creation of mitigation measures for newly found vulnerabilities and how procedures exist to continually update and document all vulnerabilities.
Removed p. 66
The referenced and provided vendor security guidance for how each logical and physical interface must be securely used.
Removed p. 66
Section H2 If the answer to H2 in the PCI PTS POI Security Requirements was “YES,” describe:
Modified p. 66 → 68
Section H1 If the answer to H1 in the PCI PTS POI Security Requirements was “YES,” describe:
Section H2 # If the answer to H2 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 66 → 68
Section H3 If the answer to H3 in the PCI PTS POI Security Requirements was “YES,” describe:
Section H3 # If the answer to H3 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 66 → 68
The referenced and provided vendor security guidance for how keys and certificates must be used.
The referenced and provided vendor security guidance for how keys and certificates must be used, including certificate status (e.g., revoked), secure download, and roll over of keys.
Modified p. 67 → 69
Section I1 If the answer to I1 in the PCI PTS POI Security Requirements was “YES,” describe:
Section I1 # If the answer to I1 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 67 → 69
Section I2 If the answer to I2 in the PCI PTS POI Security Requirements was “YES,” describe:
Section I2 # If the answer to I2 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 68 → 70
Section I3 If the answer to I3 in the PCI PTS POI Security Requirements was “YES,” describe:
Section I3 # If the answer to I3 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 68 → 70
Section I4 If the answer to I4 in the PCI PTS POI Security Requirements was “YES,” describe:
Section I4 # If the answer to I4 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 69 → 71
Section I5 If the answer to I5 in the PCI PTS POI Security Requirements was “YES,” describe:
Section I5 # If the answer to I5 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 69 → 71
Section I6 If the answer to I6 in the PCI PTS POI Security Requirements was “YES,” describe:
Section I6 # If the answer to I6 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 70 → 73
Section J2 If the answer to J2 in the PCI PTS POI Security Requirements was “YES,” describe:
Section J2 # If the answer to J2 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 71 → 74
Section J3 If the answer to J3 in the PCI PTS POI Security Requirements was “YES,” describe:
Section J3 # If the answer to J3 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 71 → 74
Section J4 If the answer to J4 in the PCI PTS POI Security Requirements was “YES,” describe:
Section J4 # If the answer to J4 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 72 → 75
Section K1 If the answer to K1 in the PCI PTS POI Security Requirements was “YES,” describe:
Section K1 # If the answer to K1 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Removed p. 78
Independent Security Mechanisms 1 The combinations of tamper detection and/or tamper evidence.
Modified p. 78 → 81
Section K1.2 If the answer to K1.2 in the PCI PTS POI Security Requirements was “YES,” describe:
Section K2 # If the answer to K2 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Removed p. 79
Section K2 If the answer to K2 in the PCI PTS POI Security Requirements was “YES,” describe:
Modified p. 80 → 82
Section K3 If the answer to K3 in the PCI PTS POI Security Requirements was “YES,” describe:
Section K3 # If the answer to K3 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 82 → 83
Section K3.1 If the answer to K3.1 in the PCI PTS POI Security Requirements was “YES,” describe:
Section K3.1 # If the answer to K3.1 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 83 → 84
Section K4 If the answer to K4 in the PCI PTS POI Security Requirements was “YES,” describe:
Section K4 # If the answer to K4 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 84 → 85
Section K5 If the answer to K5 in the PCI PTS POI Security Requirements was “YES,” describe:
Section K5 # If the answer to K5 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 84 → 85
Section K6 If the answer to K6 in the PCI PTS POI Security Requirements was “YES,” describe:
Section K6 # If the answer to K6 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 85
Section K7 If the answer to K7 in the PCI PTS POI Security Requirements was “YES,” describe:
Section K7 # If the answer to K7 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 86
Section K8 If the answer to K8 in the PCI PTS POI Security Requirements was “YES,” describe:
Section K8 # If the answer to K8 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 87
Section K9 If the answer to K9 in the PCI PTS POI Security Requirements was “YES,” describe:
Section K9 # If the answer to K9 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 88 → 89
Section K10 If the answer to K10 in the PCI PTS POI Security Requirements was “YES,” describe:
Section K10 # If the answer to K10 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 89 → 90
Section K11.1 If the answer to K11.1 in the PCI PTS POI Security Requirements was “YES,” describe:
Section K11.1 # If the answer to K11.1 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 90 → 91
Section K11.2 If the answer to K11.2 in the PCI PTS POI Security Requirements was “YES,” describe:
Section K11.2 # If the answer to K11.1 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 91 → 93
Section K13 If the answer to K13 in the PCI PTS POI Security Requirements was “YES,” describe:
Section K13 # If the answer to K13 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 92 → 94
The firmware functions provided by the processor on which such non-firmware applications would execute (e.g., PIN processing, cryptographic key operations, prompt control, etc.)
If yes, can the non-firmware perform functions such as PIN processing, cryptographic key operations, prompt control, etc.
Modified p. 92 → 94
Section K14 If the answer to K14 in the PCI PTS POI Security Requirements was “YES,” describe:
Section K14 # If the answer to K14 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 93 → 95
Section K15 If the answer to K15 in the PCI PTS POI Security Requirements was “YES,” describe:
Section K15 # If the answer to K15 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 94 → 96
Section K15.1 If the answer to K15.1 in the PCI PTS POI Security Requirements was “YES,” describe:
Section K15.1 # If the answer to K15.1 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 95 → 97
Section K15.2 If the answer to K15.2 in the PCI PTS POI Security Requirements was “YES,” describe:
Section K15.2 # If the answer to K15.2 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 96 → 98
Section K16 If the answer to K17 in the PCI PTS POI Security Requirements was “YES,” describe:
Section K16 # If the answer to K16 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 96 → 98
Section K16.1 If the answer to K16.1 in the PCI PTS POI Security Requirements was “YES,” describe:
Section K16.1 # If the answer to K16.1 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 96 → 99
Section K16.2 If the answer to K16.2 in the PCI PTS POI Security Requirements was “YES,” describe:
Section K16.2 # If the answer to K16.2 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Removed p. 97
 Key size  Associated cryptographic algorithm  The data that may be encrypted under the key  The number of instances or registers for that key type  How the key is identified by the device so that it is used only as intended 7 Whether the device has the ability to erase cryptographic keys.
Modified p. 97 → 100
Section K17 If the answer to K17 in the PCI PTS POI Security Requirements was “YES,” describe:
Section K17 # If the answer to K17 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Removed p. 98
Section K17, continued 11 Other data that is erased.

 In case RSA is used, whether the key length is at least 2048 bit. Yes No
Modified p. 98 → 101
Is there mutual device authentication? Yes No  If certificates are used, how are they tested and accepted or rejected?
Whether there is mutual device authentication. Yes No  If certificates are used, how they are tested and accepted or rejected.
Modified p. 98 → 101
Is there a secure formatting and padding of the message used containing the symmetric secret key?
Whether there is a secure formatting and padding of the message used containing the symmetric secret key.
Modified p. 98 → 101
 Utilizes a random/pseudo-random key-generation process such that it is not possible to predict any key or determine that certain keys within the key space are significantly more probable than others?
 Utilizes a random/pseudo-random key-generation process such that it is not possible to predict any key or determine that certain keys within the key space are significantly more probable than others.
Modified p. 98 → 101
Yes No N/A  Is the random source tested in a suitable manner before key generation?
Yes No N/A  Whether the random source is tested in a suitable manner before key generation.
Modified p. 98 → 101
 How is the authenticity of public keys ensured?
 How the authenticity of public keys is ensured.
Modified p. 98 → 101
Is there a certificate hierarchy? Yes No  How are certificates (signed public keys of the key-exchange partners) generated, i.e., who signs?
Whether there is a certificate hierarchy. Yes No  How certificates (signed public keys of the key-exchange partners) are generated, i.e., who signs.
Modified p. 98 → 101
Is the correctness of the message structure tested by the receiver?
Whether the correctness of the message structure is tested by the receiver.
Modified p. 100 → 103
Section K18 If the answer to K18 in the PCI PTS POI Security Requirements was “YES,” describe:
Section K18 # If the answer to K18 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 100 → 103
Section K19 If the answer to K19 in the PCI PTS POI Security Requirements was “YES,” describe:
Section K19 # If the answer to K19 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 101 → 104
Section K20 If the answer to K20 in the PCI PTS POI Security Requirements was “YES,” describe:
Section K20 # If the answer to K20 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 102 → 105
Section K21 If the answer to K21 in the PCI PTS POI Security Requirements was “YES,” describe:
Section K21 # If the answer to K21 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 103 → 106
Section K22 If the answer to K22 in the PCI PTS POI Security Requirements was “YES,” describe:
Section K22 # If the answer to K22 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 104 → 107
 The number of devices that share the same keys or passwords  Cryptographic algorithms used for authentication, if applicable  Data size (key or password length)  How authentication data is distributed to legitimate users  How authentication data can be updated 10 The device’s response to false authentication data.
 The number of devices that share the same keys or passwords  Cryptographic algorithms used for authentication, if applicable  Data size (key or password length)  How authentication data is distributed to legitimate  How authentication data can be updated 10 The device’s response to false authentication data.
Modified p. 105 → 108
Section K23 If the answer to K23 in the PCI PTS POI Security Requirements was “YES,” describe:
Section K23 # If the answer to K23 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 107 → 109
Section L1 If the answer to L1 in the PCI PTS POI Security Requirements was “YES,” describe:
Section L1 # If the answer to L1 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 108 → 109
Section L2 If the answer to L2 in the PCI PTS POI Security Requirements was “YES,” describe:
Section L2 # If the answer to L2 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 109 → 110
Section L3 If the answer to L3 in the PCI PTS POI Security Requirements was “YES,” describe:
Section L3 # If the answer to L3 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 110
Section L4 If the answer to L4 in the PCI PTS POI Security Requirements was “YES,” describe:
Section L4 # If the answer to L4 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 111
Section L5 If the answer to L5 in the PCI PTS POI Security Requirements was “YES,” describe:
Section L5 # If the answer to L5 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 112 → 111
Section L6 If the answer to L6 in the PCI PTS POI Security Requirements was “YES,” describe:
Section L6 # If the answer to L6 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 113 → 112
Section L7 If the answer to L7 in the PCI PTS POI Security Requirements was “YES,” describe:
Section L7 # If the answer to L7 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 114 → 112
Section L8 If the answer to L8 in the PCI PTS POI Security Requirements was “YES,” describe:
Section L8 # If the answer to L8 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 115 → 113
Section M1 If the answer to M1 in the PCI PTS POI Security Requirements was “YES,” describe:
Section M1 # If the answer to M1 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 116 → 114
Section M2 If the answer to M2 in the PCI PTS POI Security Requirements was “YES,” describe:
Section M2 # If the answer to M2 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 117 → 114
Section M3 If the answer to M3 in the PCI PTS POI Security Requirements was “YES,” describe:
Section M3 # If the answer to M3 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 117 → 115
Section M4 If the answer to M4 in the PCI PTS POI Security Requirements was “YES,” describe:
Section M4 # If the answer to M4 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 118 → 115
Section M5 If the answer to M5 in the PCI PTS POI Security Requirements was “YES,” describe:
Section M5 # If the answer to M5 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 118 → 115
Section M6 If the answer to M6 in the PCI PTS POI Security Requirements was “YES,” describe:
Section M6 # If the answer to M6 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 118 → 116
Section M7 If the answer to M7 in the PCI PTS POI Security Requirements was “YES,” describe:
Section M7 # If the answer to M7 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 119 → 116
Section M8 If the answer to M8 in the PCI PTS POI Security Requirements was “YES,” describe:
Section M8 # If the answer to M8 in the PCI PTS POI Modular Security Requirements was “YES,” describe:
Modified p. 120 → 117
Tamper Grid Physical Implementation Size of Traces and Distance between Traces, Signals, or Tamper- detecting Signals Method of Connection Adjacent Signals? DTR TA1.10 For each tamper switch used in the POI, complete the details indicated in the table below, at a minimum.
Tamper Grid Physical Implementation Size of Traces and Distance between Traces, Signals, or Tamper- detecting Signals Method of Connection Signals.
Modified p. 121 → 118
Dimension Device Measurement Maximum for classification as handheld The width at the “5” key 7.62 cm The height at the “5” key The sum of the width and the height at the “5” key The keypad length, from the bottom of the “0” key to the top of the “2” key 10.16 cm The weight of the POI 500grams DTR TA8.11 If the device provides a privacy shield, complete the table below with angles of observation to the center of …
Dimension Device Measurement Maximum for classification as handheld The width at the “5” key 7.62 cm The height at the “5” key The sum of the width and the height at the “5” key The keypad length, from the bottom of the “0” key to the top of the “2” key 10.16 cm The weight of the POI 500grams
Modified p. 121 → 119
Angle of POI Angle of observation to Minimum angle required by Annex A1.1 Minimum angle required by Annex A1.2
Angle of POI Angle of observation to Minimum angle required by Annex A1.1 Minimum angle required by Annex A1.2 DTR TB1.11 Complete the following table indicating the process used to authenticate the firmware images during each stage of the booting process.
Modified p. 122 → 119
Boot stage Algorithms and Key Sizes Used for Authentication Area/Code/Registers Authenticated Method and Frequency of Re-authentication Action Performed if DTRs TB4.8 and TB4.1.8 Complete the following table for each of the processing elements listed in DTR A4.
Boot stage Algorithms and Key Sizes Used for Authentication Area/Code/Registers Authenticated Method and Frequency of Re-authentication Action Performed if
Removed p. 123
IP (GPRS) GPRS Modem Modem vendor Modem uses a separate processor, which is logically and physically segmented from the security processor.
Modified p. 123 → 120
Processing/ Elements Used to Perform Authentication Algorithms and Key Sizes Used for Firmware Authentication Format of Authentication Process Performed if Authentication
Processing/Application or Firmware Element Elements Used to Perform Authentication Algorithms and Key Sizes Used for Firmware Authentication Format of Authentication Process Performed if Authentication Complete the following table.
Modified p. 123 → 125
Example Protocol Table Protocol Name Component Handling the Source Code Base and Version Security Protocol If not in OP scope, why? IP (General) Security Processor Linux (3.7.1) TLS Security Processor OpenSSL (1.0.1c) GPRS GPRS Modem Modem vendor Modem uses a separate processor, which is logically and physically segmented from the security processor.
Example Protocol Table Protocol Name Component Handling the Source Code Base and Version Security Protocol If not in OP scope, why?
Modified p. 125 → 128
Section A3, Question 5:
Section A2, Question 5:
Modified p. 125 → 128
Section A5, Question 3:
Section A4, Question 3:
Modified p. 125 → 128
Section A5, Question 5:
Section A4, Question 5: