Document Comparison
pci_pts_poi_vq_v3_1_b.pdf
→
PCI_PTS_POI_VQ_v4.pdf
68% similar
93 → 111
Pages
13144 → 16999
Words
99
Content Changes
Content Changes
99 content changes. 46 administrative changes (dates, page numbers) hidden.
Added
p. 2
February 2013 4.x RFC version
June 2013 4.0 Initial public release
June 2013 4.0 Initial public release
Added
p. 10
Section A1 (continued) 10 How the device is constructed, by attaching in Annex B at the end of the Questionnaire an exploded diagram of the device showing how all sub-components are assembled and connected internally.
Added
p. 11
Section A1 (continued) 20 How the device is protected from:
Each side of the device The back of the device The front of the device
Each side of the device The back of the device The front of the device
Added
p. 13
The algorithms and key lengths used for the signatures.
Any padding schemes used for the signatures, and how this prevents padding oracle attacks.
How modification of the sensitive information is prevented after signature validation
Section A4 (continued) 8 Whether physical protections are used as a protection method (for example when plaintext information exists in external memory.
Whether the physical protections cover all memory traces, vias, passive elements, or other areas of access.
How the memory packages are protected, including access to BGA balls and traces on internal chip carriers of packages.
Any padding schemes used for the signatures, and how this prevents padding oracle attacks.
How modification of the sensitive information is prevented after signature validation
Section A4 (continued) 8 Whether physical protections are used as a protection method (for example when plaintext information exists in external memory.
Whether the physical protections cover all memory traces, vias, passive elements, or other areas of access.
How the memory packages are protected, including access to BGA balls and traces on internal chip carriers of packages.
Added
p. 14
The algorithms and key lengths used.
What modes of operation are used for the encryption.
How this prevents the re-location of memory from one area to another.
How the method of encryption prevents the exposure of sensitive information through building of a “dictionary” (i.e., look-up table) of possible encrypted values.
If a key stream mode of encryption is used (e.g. OFB), how the encryption of different data with the same key is prevented.
What modes of operation are used for the encryption.
How this prevents the re-location of memory from one area to another.
How the method of encryption prevents the exposure of sensitive information through building of a “dictionary” (i.e., look-up table) of possible encrypted values.
If a key stream mode of encryption is used (e.g. OFB), how the encryption of different data with the same key is prevented.
Added
p. 14
The different ways in which the element may be programmed or configured Any in-circuit testing or debugging features provided by these elements The methods implemented to disable the programming/testing features 11 Whether applications and/or firmware are executed on the same processor that stores or operates on plaintext passwords, PINs, or public keys.
What mechanisms are implemented to prevent these applications from modifying this information.
What mechanisms are implemented to prevent these applications from modifying this information.
Added
p. 17
If “YES,” provide responses to Section A1.
If “YES,” provide responses to Section A1.
If “YES,” provide responses to Section A1.
Added
p. 21
If logical (e.g., encryption) protections are used describe:
The integrated circuit used to provide the encryption and any physical protections provided The algorithm, mode of operation, and key management used How the cryptographic keys are loaded and, if keys can be updated, how this occurs The method used to generate these keys and how this achieves unique key(s) per device 3 Describe any physical protections that are implemented to protect the path from the read head to the security processor, including all intervening elements.
The integrated circuit used to provide the encryption and any physical protections provided The algorithm, mode of operation, and key management used How the cryptographic keys are loaded and, if keys can be updated, how this occurs The method used to generate these keys and how this achieves unique key(s) per device 3 Describe any physical protections that are implemented to protect the path from the read head to the security processor, including all intervening elements.
Added
p. 28
Section B4.1 If the answer to B4.1 in the PCI PTS POI Security Requirements was “YES,” describe:
Added
p. 32
Include descriptions of the following:
Added
p. 37
If “YES,” describe the method.
Added
p. 40
If “YES,” describe the mechanism.
Added
p. 43
Section B16 (continued) 7 The key-management, key-distribution and other techniques defined and used for the cryptographic key(s) in question. Describe who/which entity possesses which key(s) and under what circumstances.
Added
p. 46
Section B20 If the answer to B20 in the PCI PTS POI Security Requirements was “YES,” describe:
Added
p. 47
The device provides for a single master key for all hierarchies into which a PIN key may be loaded, This master key is the only key which can be loaded into the POI in plain text, and The device provides for only one PIN key. Yes No If the answers to each of the above are “YES,” the rest of this section is N/A.
If “YES,” describe how the device authenticates key selection or uses commands for the PIN key or any PIN KEKs and implements dual control or cryptographic mechanisms to do so.
If “YES,” describe how the device authenticates key selection or uses commands for the PIN key or any PIN KEKs and implements dual control or cryptographic mechanisms to do so.
Added
p. 49
The protections used to prevent penetration of the device for the purpose of determining or modifying sensitive data.
For each PCB that carries the customer ICC I/O signal, the tamper-detection mechanisms to protect these signals from being accessed (such as tamper grids).
The specialized skills and equipment that would be necessary to penetrate the device in order to determine or modify sensitive data.
For each PCB that carries the customer ICC I/O signal, the tamper-detection mechanisms to protect these signals from being accessed (such as tamper grids).
The specialized skills and equipment that would be necessary to penetrate the device in order to determine or modify sensitive data.
Added
p. 50
If “YES,” provide a rationale for why these cannot be used to obscure wires running from the opening to an external bug.
Added
p. 56
If “YES,” which method of authentication is used? Include in the description the algorithms, keys, and key management involved.
Added
p. 60
• Open Protocols Platform Description 1 Describe, or refer to a description of, the different models that currently use the platform. Provide information about the differences between the different models. Indicate for each model all the communication channels, possible peripherals, intended use.
Section F1 If the answer to F1 in the PCI PTS POI Security Requirements was “YES,” describe:
Section F1 If the answer to F1 in the PCI PTS POI Security Requirements was “YES,” describe:
Added
p. 61
Interface Name Reference 2 Each protocol and service available for each of the listed interfaces above Protocol Name Reference How each of the above interfaces is configured to accept commands 4 For each of the above interfaces which component implements the protocol, if it is a security protocol, and the location from which the software was derived.
Added
p. 62
Section G1 If the answer to G1 in the PCI PTS POI Security Requirements was “YES,” describe:
Added
p. 62
How the vendor’s vulnerability-assessment procedures outline the process for classification and detection of vulnerabilities and include a correct description, a level of criticality, and mitigation measures.
Added
p. 62
Section G2 If the answer to G2 in the PCI PTS POI Security Requirements was “YES,” describe:
Added
p. 64
Section G3 If the answer to G3 in the PCI PTS POI Security Requirements was “YES,” describe:
The vendor’s timely creation of mitigation measures for newly found vulnerabilities and that procedures exist to continually update and document all vulnerabilities.
Section H1 If the answer to H1 in the PCI PTS POI Security Requirements was “YES,” describe:
Section H2 If the answer to H2 in the PCI PTS POI Security Requirements was “YES,” describe:
The vendor’s timely creation of mitigation measures for newly found vulnerabilities and that procedures exist to continually update and document all vulnerabilities.
Section H1 If the answer to H1 in the PCI PTS POI Security Requirements was “YES,” describe:
Section H2 If the answer to H2 in the PCI PTS POI Security Requirements was “YES,” describe:
Added
p. 65
Section H3 If the answer to H3 in the PCI PTS POI Security Requirements was “YES,” describe:
Added
p. 67
Section I1 If the answer to I1 in the PCI PTS POI Security Requirements was “YES,” describe:
Section I2 If the answer to I2 in the PCI PTS POI Security Requirements was “YES,” describe:
Section I3 If the answer to I3 in the PCI PTS POI Security Requirements was “YES,” describe:
Section I4 If the answer to I4 in the PCI PTS POI Security Requirements was “YES,” describe:
Section I5 If the answer to I5 in the PCI PTS POI Security Requirements was “YES,” describe:
Section I7 If the answer to I7 in the PCI PTS POI Security Requirements was “YES,” describe:
Protocol Name Reference The device’s session-management features to ensure that connections are not left open for longer than necessary.
Section I2 If the answer to I2 in the PCI PTS POI Security Requirements was “YES,” describe:
Section I3 If the answer to I3 in the PCI PTS POI Security Requirements was “YES,” describe:
Section I4 If the answer to I4 in the PCI PTS POI Security Requirements was “YES,” describe:
Section I5 If the answer to I5 in the PCI PTS POI Security Requirements was “YES,” describe:
Section I7 If the answer to I7 in the PCI PTS POI Security Requirements was “YES,” describe:
Protocol Name Reference The device’s session-management features to ensure that connections are not left open for longer than necessary.
Added
p. 70
Section J1 If the answer to J1 in the PCI PTS POI Security Requirements was “YES,” describe:
Added
p. 70
Section J2 If the answer to J2 in the PCI PTS POI Security Requirements was “YES,” describe:
Added
p. 70
Section J3 If the answer to J3 in the PCI PTS POI Security Requirements was “YES,” describe:
Added
p. 71
Section J4 If the answer to J4 in the PCI PTS POI Security Requirements was “YES,” describe:
Added
p. 73
For ICC-Based Entry 1 The rationale as to why the slot does not have sufficient space to hold a PIN-disclosing bug.
Added
p. 74
Section K1.1 (continued) For ICC-Based Entry (continued) 11 Any feature, mechanism, or subsystem preventing he successful implant of a sensitive-data- disclosing bug aiming at capturing offline PIN and IC card information.
Added
p. 75
Section K1.1 (continued) For Magnetic-Stripe Entry 1 The mechanisms used by the device to capture data from magnetic-stripe payment cards, including any necessary APIs.
If logical (e.g., encryption) protections are used, describe:
The integrated circuit used to provide the encryption and any physical protections provided The algorithm, mode of operation, and key management used How the cryptographic keys are loaded and, if keys can be updated, how this occurs The method used to generate these keys and how this achieves a unique key(s) per device Describe any physical protections that are implemented to protect the path from the read head to the security processor, including all intervening elements.
If logical (e.g., encryption) protections are used, describe:
The integrated circuit used to provide the encryption and any physical protections provided The algorithm, mode of operation, and key management used How the cryptographic keys are loaded and, if keys can be updated, how this occurs The method used to generate these keys and how this achieves a unique key(s) per device Describe any physical protections that are implemented to protect the path from the read head to the security processor, including all intervening elements.
Added
p. 76
For Contactless 1 The mechanisms used to protect the path for contactless data from the point of digitization of the data.
Added
p. 78
Section K1.2 If the answer to K1.2 in the PCI PTS POI Security Requirements was “YES,” describe:
Added
p. 80
If “YES,” provide responses to Section K1.1.
If “YES,” provide responses to Section K1.1.
If “YES,” provide responses to Section K1.1.
Added
p. 91
Section K13, continued 10 Whether the POI is designed to allow for non-firmware applications to be executed.
The firmware functions provided by the processor on which such non-firmware applications would execute (e.g. PIN processing, cryptographic key operations, prompt control, etc.)
If “YES,” describe these mechanisms.
The firmware functions provided by the processor on which such non-firmware applications would execute (e.g. PIN processing, cryptographic key operations, prompt control, etc.)
If “YES,” describe these mechanisms.
Added
p. 96
How this is enforced.
Added
p. 97
The circumstances under which other data is erased.
Added
p. 97
In case RSA is used, whether the key length is at least 2048 bit. Yes No
Added
p. 98
If “YES,” describe the method.
Added
p. 100
Provide a list of these applications, and identify those with security impact.
Describe how the separation between applications with security impact from those without security impact is enforced.
Describe how the separation between applications with security impact from those without security impact is enforced.
Added
p. 100
If “YES,” describe the method of communications provided between these processors, including any physical interface and API(s).
Added
p. 101
If the device uses a commercial operating system, note the name and version of this system.
Added
p. 105
PCB Designator PCB Version PCB purpose Picture reference Tamper- Detection Mechanisms DTR TA1.10 Using vendor documentation for each tamper grid that is implemented, complete the details indicated in the table below, describing, at a minimum:
Tamper Grid Physical Implementation Size of Traces and Distance between Traces, Signals, or Tamper- detecting Signals Method of Connection Adjacent Signals? DTR TA1.10 For each tamper switch used in the POI, complete the details indicated in the table below, at a minimum.
Switch Location Number Used in that Location Physical Implementation Size of Switch Conductive Ink Protections Additional Comments
Tamper Grid Physical Implementation Size of Traces and Distance between Traces, Signals, or Tamper- detecting Signals Method of Connection Adjacent Signals? DTR TA1.10 For each tamper switch used in the POI, complete the details indicated in the table below, at a minimum.
Switch Location Number Used in that Location Physical Implementation Size of Switch Conductive Ink Protections Additional Comments
Added
p. 106
Maximum Value Minimum Value Detecting Circuitry Response Voltage (Specify type) Configured Value Configured Value Tested Value Tested Value Temperature Configured Value Configured Value Tested Value Tested Value In the following table, outline the locations of all types of sensitive information and functions, adding to those provided where other types of sensitive information exist within the POI.
Sensitive Information Storage area Method of protection Plaintext PINs POI Firmware Public keys Enter details of the POI into the table below.
Device Measurement Maximum for classification as handheld The width at the “5” key 7.62 cm The height at the “5” key The sum of the width and the height at the “5” key The keypad length, from the bottom of the “0” key to the top of the “2” key 10.16 cm The weight of the POI 500grams
Sensitive Information Storage area Method of protection Plaintext PINs POI Firmware Public keys Enter details of the POI into the table below.
Device Measurement Maximum for classification as handheld The width at the “5” key 7.62 cm The height at the “5” key The sum of the width and the height at the “5” key The keypad length, from the bottom of the “0” key to the top of the “2” key 10.16 cm The weight of the POI 500grams
Added
p. 107
Angle of POI Angle of observation to Minimum angle required by Annex A1.1 Minimum angle required by Annex A1.2 DTR TB1.11 Complete the following table indicating the process used to authenticate the firmware images during each stage of the booting process.
Boot stage Algorithms and Key Sizes Used for Authentication Area/Code/Registers Authenticated Method and Frequency of Re-authentication Action Performed if DTRs TB4.8 and TB4.1.8 Complete the following table for each of the processing elements listed in DTR A4.
Processing/ Firmware Element Elements Used to Perform Authentication Algorithms and Key Sizes Used for Firmware Authentication Format of Authentication Process Performed if Authentication
Boot stage Algorithms and Key Sizes Used for Authentication Area/Code/Registers Authenticated Method and Frequency of Re-authentication Action Performed if DTRs TB4.8 and TB4.1.8 Complete the following table for each of the processing elements listed in DTR A4.
Processing/ Firmware Element Elements Used to Perform Authentication Algorithms and Key Sizes Used for Firmware Authentication Format of Authentication Process Performed if Authentication
Added
p. 108
Example Protocol Table Protocol Name Component Handling the Source Code Base and Version Security Protocol If not in OP scope, why? IP (General) Security Processor Linux (3.7.1) TLS Security Processor OpenSSL (1.0.1c) GPRS GPRS Modem Modem vendor Modem uses a separate processor, which is logically and physically segmented from the security processor.
IP (GPRS) GPRS Modem Modem vendor Modem uses a separate processor, which is logically and physically segmented from the security processor.
IP (GPRS) GPRS Modem Modem vendor Modem uses a separate processor, which is logically and physically segmented from the security processor.
Added
p. 109
Processing/ Firmware Element Elements Used to Perform Authentication Algorithms and Key Sizes Used for Firmware Authentication Format of Authentication Process Performed if Authentication Use the table below to detail the environmental-protection features implemented by the POI.
Maximum Value Minimum Value Detecting Circuitry Response Voltage (Specify type) Configured Value Configured Value Tested Value Tested Value Temperature Configured Value Configured Value Tested Value Tested Value
Maximum Value Minimum Value Detecting Circuitry Response Voltage (Specify type) Configured Value Configured Value Tested Value Tested Value Temperature Configured Value Configured Value Tested Value Tested Value
Added
p. 110
Section A1, Question 10:
Section A1, Question 16:
Section A3, Question 5:
Section A5, Question 3:
Section A5, Question 5:
Section K19, Question 5:
Section A1, Question 16:
Section A3, Question 5:
Section A5, Question 3:
Section A5, Question 5:
Section K19, Question 5:
Modified
p. 1
Payment Card Industry (PCI) PIN Transaction Security (PTS) Point of Interaction (POI) Modular Evaluation Vendor Questionnaire Version 3.1
Payment Card Industry (PCI) PIN Transaction Security (PTS) Point of Interaction (POI) Modular Evaluation Vendor Questionnaire Version 4.0
Removed
p. 5
PCI DSS v1.2.1 PCI SSC
PCI PTS POI Evaluation Vendor Questionnaire PCI SSC
PCI PTS POI Evaluation Vendor Questionnaire PCI SSC
Modified
p. 7 → 9
Section A1.1 If the answer to A1.1 in the PCI PTS POI Security Requirements was “YES,” describe:
Section A1 If the answer to A1 in the PCI PTS POI Security Requirements was “YES,” describe:
Modified
p. 8 → 11
Section A1.2 If the answer to A1.2 in the PCI PTS POI Security Requirements was “YES,” describe:
Section A2 If the answer to A2 in the PCI PTS POI Security Requirements was “YES,” describe:
Modified
p. 25 → 31
Data inputs cannot be discerned by monitoring audible or electro-magnetic emissions.
Modified
p. 30 → 35
Key size Associated cryptographic algorithm The data that may be encrypted under the key The number of instances or registers for that key type How the key is identified by the device so that it is used only as intended 7 Whether the device has the ability to erase cryptographic keys. Yes No 8 What keys may be erased?
Key size Associated cryptographic algorithm The data that may be encrypted under the key The number of instances or registers for that key type How the key is identified by the device so that it is used only as 7 Whether the device has the ability to erase cryptographic keys.
Modified
p. 31 → 36
Utilizes a random/pseudo-random key-generation process such that it is not possible to predict any key or determine that certain keys within the key space are significantly more probable than others?
The technique utilizes a random/pseudo-random key-generation process such that it is not possible to predict any key or determine that certain keys within the key space are significantly more probable than others?
Modified
p. 31 → 36
Yes No N/A Is the random source tested in a suitable manner before key generation?
Yes No N/A Is the random source tested in a suitable manner before key generation?
Modified
p. 31 → 36
Is there a certificate hierarchy? Yes No How are certificates (signed public keys of the key-exchange partners) generated, i.e., who signs?
Is there a certificate hierarchy? Yes No How are certificates (signed public keys of the key-exchange partners) generated, i.e., who signs?
Modified
p. 31 → 36
Is there mutual device authentication? Yes No If certificates are used, how are they tested and accepted or rejected?
Is there mutual device authentication? Yes No If certificates are used, how are they tested and accepted or rejected?
Modified
p. 31 → 36
Is the correctness of the message structure tested by the receiver?
Is the correctness of the message structure tested by the receiver?
Modified
p. 31 → 37
Is the chosen key length appropriate for the algorithm and its protection purpose? In case RSA is used, is the key length at least 2048 bit? Yes No
Is the chosen key length appropriate for the algorithm and its protection purpose? If RSA is used, is the key length at least 2048 bit? Yes No 16 The hashing algorithm(s) that are used.
Modified
p. 32 → 37
The purpose of the usage(s).
The purpose of their usage(s).
Modified
p. 37 → 42
Section B16.1 If the answer to B16.1 in the PCI PTS POI Security Requirements was “YES,” describe:
Section B16 If the answer to B16 in the PCI PTS POI Security Requirements was “YES,” describe:
Removed
p. 38
Section B16.2 If the answer to A16.2 in the PCI PTS POI Security Requirements was “YES,” describe:
Modified
p. 38 → 42
Is the chosen key length appropriate for the algorithm and its protection purpose? Yes No 5 The key management, key distribution and other techniques defined and used for the cryptographic key(s) in question. Describe who/which entity possesses which key(s) and under what circumstances.
Is the chosen key length appropriate for the algorithm and its protection purpose? If “YES,” state why this is the case.
Modified
p. 39 → 44
Provide a list of these applications, and identify those with security impact.
Modified
p. 39 → 44
Describe how the separation between applications with security impact from those without security impacts is enforced.
Removed
p. 55
Section F: IP and Link Layer This table must be completed considering the IP and link layer in their entirety.
Modified
p. 55 → 65
The referenced and provided vendor security guidance for how each logical and physical interface must be securely used.
Removed
p. 56
Section G: IP Protocols This table must be completed considering the IP protocols in their entirety.
Removed
p. 57
Section H: Security Protocols Table H-1 below must be completed considering the Security protocols in their entirety.
Table H-1: Security Protocols in their Entirety 1 Reference and provide documentation that describes the security protocols that are available on the platform.
Table H-1: Security Protocols in their Entirety 1 Reference and provide documentation that describes the security protocols that are available on the platform.
Removed
p. 57
Reference and provide the security guidance that describes how the security protocols must be securely used.
Removed
p. 57
Comments: Table H-2 must be completed for each of the security protocols that might be used for financial applications or platform management.
Removed
p. 58
Protocol Name Reference 9 Reference and provide documentation describing the replay protection used by the security protocol, supporting the response to H9 in the PCI PTS POI Security Requirements.
Protocol Name Reference 10 Reference and provide documentation describing the random generator used by the security protocol, supporting the response to H10 in the PCI PTS POI Security Requirements.
Protocol Name Reference 10 Reference and provide documentation describing the random generator used by the security protocol, supporting the response to H10 in the PCI PTS POI Security Requirements.
Removed
p. 59
Section I: IP Services Table I-1 below must be completed considering the IP Services in their entirety.
Table I-1: IP Services in their Entirety 1 Reference and provide documentation that describes the IP services that are available on the platform.
Table I-1: IP Services in their Entirety 1 Reference and provide documentation that describes the IP services that are available on the platform.
Removed
p. 59
Reference and provide the security guidance that describes how the IP services must be securely used.
Removed
p. 59
Table I-2 must be completed for each of the IP Services that might be used for financial applications or platform management.
Table I-2: Specified IP Service 6 Reference and provide documentation describing how the IP Service ensures confidentiality, integrity, authentication and protection against replay by using an appropriate security protocol, supporting the response to I6 of the PCI PTS POI Security Requirements.
Table I-2: Specified IP Service 6 Reference and provide documentation describing how the IP Service ensures confidentiality, integrity, authentication and protection against replay by using an appropriate security protocol, supporting the response to I6 of the PCI PTS POI Security Requirements.
Modified
p. 65 → 78
Independent Security Mechanisms 1 The combinations of tamper detection and/or tamper evidence.
Removed
p. 73
Section K11 If the answer to K11 in the PCI PTS POI Security Requirements was “YES,” describe:
Removed
p. 79
Section K16 If the answer to K16 in the PCI PTS POI Security Requirements was “YES,” describe:
Modified
p. 80 → 93
Section K16.1 If the answer to K16.1 in the PCI PTS POI Security Requirements was “YES,” describe:
Section K15.1 If the answer to K15.1 in the PCI PTS POI Security Requirements was “YES,” describe:
Modified
p. 81 → 94
Section K16.2 If the answer to K16.2 in the PCI PTS POI Security Requirements was “YES,” describe:
Section K15.2 If the answer to K15.2 in the PCI PTS POI Security Requirements was “YES,” describe:
Modified
p. 82 → 95
Section K17 If the answer to K17 in the PCI PTS POI Security Requirements was “YES,” describe:
Section K16 If the answer to K17 in the PCI PTS POI Security Requirements was “YES,” describe:
Modified
p. 82 → 95
Section K17.1 If the answer to K17.1 in the PCI PTS POI Security Requirements was “YES,” describe:
Section K16.1 If the answer to K16.1 in the PCI PTS POI Security Requirements was “YES,” describe:
Modified
p. 82 → 95
Section K17.2 If the answer to K17.2 in the PCI PTS POI Security Requirements was “YES,” describe:
Section K16.2 If the answer to K16.2 in the PCI PTS POI Security Requirements was “YES,” describe:
Modified
p. 83 → 96
Section K18 If the answer to K18 in the PCI PTS POI Security Requirements was “YES,” describe:
Section K17 If the answer to K17 in the PCI PTS POI Security Requirements was “YES,” describe:
Modified
p. 83 → 96
Key size Associated cryptographic algorithm The data that may be encrypted under the key The number of instances or registers for that key type How the key is identified by the device so that it is used only as intended 7 Whether the device has the ability to erase cryptographic keys. Yes No 8 What keys may be erased?
Key size Associated cryptographic algorithm The data that may be encrypted under the key The number of instances or registers for that key type How the key is identified by the device so that it is used only as intended 7 Whether the device has the ability to erase cryptographic keys.
Removed
p. 84
Under what circumstances?
What is the reaction of the device if an authenticity test fails?
What is the reaction of the device if an authenticity test fails?
Modified
p. 84 → 97
Yes No N/A Is the random source tested in a suitable manner before key generation?
Yes No N/A Is the random source tested in a suitable manner before key generation?
Modified
p. 84 → 97
Is there a certificate hierarchy? Yes No How are certificates (signed public keys of the key-exchange partners) generated, i.e., who signs?
Is there a certificate hierarchy? Yes No How are certificates (signed public keys of the key-exchange partners) generated, i.e., who signs?
Modified
p. 84 → 97
Is there mutual device authentication? Yes No If certificates are used, how are they tested and accepted or rejected?
Is there mutual device authentication? Yes No If certificates are used, how are they tested and accepted or rejected?
Modified
p. 84 → 97
Is the correctness of the message structure tested by the receiver?
Is the correctness of the message structure tested by the receiver?
Modified
p. 84 → 97
Which effective key length(s) is/are utilized for all the cryptographic algorithm(s) in question?
The effective key length(s) utilized for all the cryptographic algorithm(s) in question.
Modified
p. 84 → 97
Is the chosen key length appropriate for the algorithm and its protection purpose? In case RSA is used, is the key length at least 2048 bit? Yes No
Whether the chosen key length is appropriate for the algorithm and its protection purpose.
Removed
p. 88
Whether the device supports multiple applications. Yes No If yes, provide a list of these applications, and identify those with security impact.
If yes, how is the separation between applications with security impact from those without security impact enforced? 2 For each security-relevant application, list by groups the data objects and their location.
If yes, how is the separation between applications with security impact from those without security impact enforced? 2 For each security-relevant application, list by groups the data objects and their location.
Removed
p. 90
Section K24 If the answer to K24 in the PCI PTS POI Security Requirements was “YES,” describe:
Modified
p. 90 → 102
Data inputs cannot be discerned by monitoring audible or electro-magnetic emissions.
Modified
p. 92 → 104
Section K25 If the answer to K25 in the PCI PTS POI Security Requirements was “YES,” describe:
Section K23 If the answer to K23 in the PCI PTS POI Security Requirements was “YES,” describe: