Document Diff - PCI Watch

Added p. 13

Q 40 June 2025: Devices may support Post-Quantum Cryptography (PQC), also known as Quantum Resistant, in addition to classic cryptography. Specifically, cryptographic algorithms that are currently thought - e.g., as published by NIST - to be secure against a cryptanalytic attack by a quantum computer. Is there an option for this to be noted as part of the PCI approval? A Yes. Where the lab validates the support of PQC algorithms in the API and/or processing of the device and includes that notation in the test report submitted to PCI, then it will be listed as Additional Information for the device. The details of the PQC must be stated in the security policy. The specifics for all cryptography and associated critical security parameters (CSPs) must be included in the relevant tables in the Security Policy. Encapsulation and signature algorithms must be implemented and be available through functional calls.

This notation in …

Modified p. 1

Payment Card Industry (PCI) PTS HSM Security Requirements Technical FAQs for use with Version ~~3.0~~

Payment Card Industry (PCI) PTS HSM Security Requirements Technical FAQs for use with Version 3

Removed p. 13

Q 41 September 2015: A device uses a key that is randomly generated internally in the secure processor to protect other keys. This key is stored in the clear and protected within a register in the same secure processor. The secure processor resides within a secure area PCI PTS HSM Evaluation FAQs

Modified p. 13 → 14

Q 40 September 2015: In the event of tamper, the device must become immediately inoperable and result in the automatic and immediate erasure of any secret information that may be stored in the device, such that it becomes infeasible to recover the secret information. Guidance notes provide that secret or private keys do not need to be zeroized if either or both of the following conditions exist:

• If any of these keys are not zeroized, then other mechanisms must exist …

Q 41 September 2015: In the event of tamper, the device must become immediately inoperable and result in the automatic and immediate erasure of any secret information that may be stored in the device, such that it becomes infeasible to recover the secret information. Guidance notes provide that secret or private keys do not need to be zeroized if either or both of the following conditions exist:

• If any of these keys are not zeroized, then other mechanisms must exist …

Modified p. 15

The laboratory shall determine the veracity of the material provided to determine the degree of reliance that may be placed upon the evidence, and where necessary, the laboratory shall extend the testing ~~HSM Requirement B3~~

The laboratory shall determine the veracity of the material provided to determine the degree of reliance that may be placed upon the evidence, and where necessary, the laboratory shall extend the testing

Modified p. 25 → 26

Q 3 May (update) 2018: Is the device allowed to share PCI relevant keys and passwords/authentication codes between PCI approved mode of operation and non-PCI approved mode of operation? A No. The device must either enforce separation of all PCI relevant keys and passwords/authentication codes between the two modes or the device must zeroize all PCI relevant keys and passwords/authentication codes when switching between modes except as follows.

Q 3 May (update) 2018: Is the device allowed to share PCI relevant keys and passwords/authentication codes between PCI approved mode of operation and non-PCI approved mode of operation? A No. The device must either enforce separation of all PCI relevant keys and passwords/authentication codes between the two modes or the device must zeroize all PCI relevant keys and passwords/authentication codes when switching between modes except as follows. If the device includes an internally generated hardware key, for example inside …

Document Comparison

Content Changes