Document Comparison
PCI_PTS_POI_Technical_FAQ_v6_Dec_2025.pdf
→
PCI_POI_Technical_FAQ_v6_May_2026.pdf
83% similar
43 → 45
Pages
19888 → 19871
Words
5
Content Changes
Content Changes
5 content changes. 35 administrative changes (dates, page numbers) hidden.
Added
p. 35
May 2026: Are hybrid or post-quantum cryptographic key-transport mechanisms permitted for HSMs? A Yes. Hybrid and pure post-quantum cryptographic (PQC) key-transport mechanisms are permitted, provided that:
• Each individual cryptographic component (whether classical or PQC-based) independently meets or exceeds the minimum cryptographic strength as enumerated in the table below.
• Mutual authentication must be enforced.
• All key transport follows basic key management principles, including cryptographic binding of key usage attributes to the transported key (i.e., use of a compliant Key Block as defined in the applicable key block requirements, such as those based on ANSI X9.143, ISO 20038, or ASC X9 TR-34 principles).
• The key block must include, at minimum:
• Attributes defining the permitted operations for the key.
• Attributes defining the cryptographic algorithm and mode of use.
• Attributes defining exportability of the key.
• Use of key-length obfuscation padding for symmetric keys to the maximum length for the algorithm, 192 bits for TDEA …
• Each individual cryptographic component (whether classical or PQC-based) independently meets or exceeds the minimum cryptographic strength as enumerated in the table below.
• Mutual authentication must be enforced.
• All key transport follows basic key management principles, including cryptographic binding of key usage attributes to the transported key (i.e., use of a compliant Key Block as defined in the applicable key block requirements, such as those based on ANSI X9.143, ISO 20038, or ASC X9 TR-34 principles).
• The key block must include, at minimum:
• Attributes defining the permitted operations for the key.
• Attributes defining the cryptographic algorithm and mode of use.
• Attributes defining exportability of the key.
• Use of key-length obfuscation padding for symmetric keys to the maximum length for the algorithm, 192 bits for TDEA …
Removed
p. 13
October 2024: The model name, and if applicable, number must be visually and distinctly present on the device and not be part of a larger character string. The model name/number must be retrievable from the device by a query. Can a device have a model name/number imprinted (e.g., silk screened) on the device that is different than the model name and number as printed on a label elsewhere on the device? A No. However, it is permissible for the actual specific model name/number to contain a prefix followed by a hyphen and a short suffix to differentiate models that are within the same device family and which are part of the same approval number. For example, a device could be imprinted with ABCD100, but the actual model names co-listed on the approval listing and as shown on a label on each approved device are ABCD100-BT and ABCD100-W.
October 2024: POI v6 …
October 2024: POI v6 …
Removed
p. 15
Do any other conditions apply? A The keys (secret or private) are never used to encrypt or decrypt other keys. Keys that can be used to download other keys to make the device operable must either be zeroized or rendered inoperable for use in downloading new keys. E.g., both symmetric KEKs used for key loading using symmetric techniques and private keys associated with key loading using asymmetric techniques. The device must enforce that tampered devices require withdrawal from use for inspection, key reloading, and re-commissioning. It is not sufficient to rely upon procedural controls for this.
Modified
p. 15 → 13
December 2025: If a report for a new approval contains several device variations, what requirements must the devices meet? A When several device variations are submitted for approval in the same evaluation report •even if it is for a new approval listing - those devices must meet the same requirements that apply to delta evaluations. These delta requirements are specifically defined in the PTS Program Guide under hardware changes in Appendix B. The main criteria is that the differences between …
December 2025: If a report for a new approval contains several device variations, what requirements must the devices meet? A When several device variations are submitted for approval in the same evaluation report - even if it is for a new approval listing - those devices must meet the same requirements that apply to delta evaluations. These delta requirements are specifically defined in the PTS Program Guide under hardware changes in Appendix B. The main criteria is that the differences …
Modified
p. 36 → 34
May (update) 2026: Key blocks must prevent the determination of key length for variable length keys using random key length obfuscation padding. Does the POI need to check the length of the binary key data after receiving the key block and reject the block in the case of a padding error? A Yes. To prevent the determination of key length for variable length symmetric keys, the POI must check the length of the binary key data and reject the block …