Document Comparison
PCI_PTS_POI_SRs_v6.pdf
→
PCI_PTS_POI_SRs_v6-1.pdf
92% similar
55 → 55
Pages
16023 → 16349
Words
92
Content Changes
Content Changes
92 content changes. 67 administrative changes (dates, page numbers) hidden.
Added
p. 1
Payment Card Industry (PCI) PIN Transaction Security (PTS) Point of Interaction (POI) Modular Security Requirements Version 6.1
Added
p. 7
Publication Title Reference Public-key Cryptography for the Financial Service Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography ANSI X9.42 Key Establishment Using Integer Factorization Cryptography ANSI X9.44 Public Key Cryptography for the Financial Services Industry: Key Agreement and Key Transport Using Elliptic Curve Cryptography ANSI X9.63 Symmetric Key Cryptography for the Financial Services Industry− Wrapping of Keys and Associated Data ANSI X9.102 Retail Financial Services
• Requirements for Protection of Sensitive Payment Card Data Part 1: Using Encryption Methods ANSI X9.119-1 Retail Financial Services
• Key Management, Part 2: Mechanisms Using Symmetric Key Management Techniques ISO 11770-2 Information Technology
• Requirements for Protection of Sensitive Payment Card Data Part 1: Using Encryption Methods ANSI X9.119-1 Retail Financial Services
• Key Management, Part 2: Mechanisms Using Symmetric Key Management Techniques ISO 11770-2 Information Technology
Added
p. 8
• Part 1: General ISO/IEC 18033-1 Information technology − Security techniques − Encryption algorithms − Part 3: Block ciphers ISO/IEC 18033-3 Information Technology
• Encryption algorithms
• Encryption algorithms
Added
p. 28
Note: If Bluetooth is used, D14 may alternatively be used.
Note: If Wi-Fi is used, D14 may alternatively be used.
D14 Wireless communication interfaces which do not have specific security requirements, or have not met those requirements as listed, must be physically or cryptographically isolated.
Note: Where the security requirements in D12 and/or D13 for Bluetooth or Wi-Fi are not met, D14 must be met.
Note: If Wi-Fi is used, D14 may alternatively be used.
D14 Wireless communication interfaces which do not have specific security requirements, or have not met those requirements as listed, must be physically or cryptographically isolated.
Note: Where the security requirements in D12 and/or D13 for Bluetooth or Wi-Fi are not met, D14 must be met.
Added
p. 38
1. In order to receive the “Open Protocols” designation devices must meet all applicable requirements in the Implements Open Protocols column.
2. In order to receive the “SRED” designation devices must meet all applicable requirements in the Protects Account Data column.
2. In order to receive the “SRED” designation devices must meet all applicable requirements in the Protects Account Data column.
Added
p. 45
Clear text The intelligible form of an encrypted text or of its elements.
Clear-text Key An unencrypted cryptographic key used in its current form.
Independent Expert An Independent Expert possesses all the following qualifications:
Clear-text Key An unencrypted cryptographic key used in its current form.
Independent Expert An Independent Expert possesses all the following qualifications:
Added
p. 50
Monitor Token A cryptographically signed value provided by the monitoring system to the SCRP and cryptographically authenticated by the SCRP to enable its operation for a period not to exceed ten minutes. The value and its usage must have properties⎯e.g., time/date stamps⎯that ensure the prevention of replay, pre-calculation, or other attacks to allow improper continued operation or re-enablement of the SCRP.
Participating Payment Brand A payment card brand that, as of the time in question, is formally admitted as (or an affiliate of) a member of PCI SSC pursuant to its governing documents. At the time of this publication, Participating Payment Brands include PCI SSC’s Founding Members and Strategic Members.
Participating Payment Brand A payment card brand that, as of the time in question, is formally admitted as (or an affiliate of) a member of PCI SSC pursuant to its governing documents. At the time of this publication, Participating Payment Brands include PCI SSC’s Founding Members and Strategic Members.
Modified
p. 2
March 2022 6.1 Added requirement for unauthenticated wireless communications. Note to Assessors When protecting this document for use as a form, leave Section 5 (Device Photos) unprotected to allow for insertion of a device or component photos. Under “Tools / Protect Document,” select “Forms” then “Sections,” and un-check Section 5 as illustrated below.
Modified
p. 4
• Non-PIN acceptance POI devices evaluated for account data protection
• Non-PIN acceptance POI devices evaluated for account data protection.
Modified
p. 4
• Secure components for POS terminals: These products also require integration into a final solution to provide PIN transactions. Examples are OEM PIN entry devices and secure (encrypting) card readers (SCRs) and secure card readers
• Secure components for POS terminals: These products also require integration into a final solution to provide PIN transactions. Examples are OEM PIN entry devices, secure (encrypting) card readers (SCRs), and secure card readers
Modified
p. 6
This document is only concerned with the life cycle for POI devices up to the point of initial key loading for payment transaction keys (keys used by the acquiring organization) or at the facility of initial deployment. Subsequent to receipt of the device at the initial key-loading facility or at the facility of initial deployment, the responsibility for the device falls to the acquiring financial institution and its agents (e.g., merchants and processors), and is covered by the operating rules …
This document is only concerned with the life cycle for POI devices up to the point of initial key loading for payment transaction keys (keys used by the acquiring organization) or at the facility of initial deployment. Subsequent to receipt of the device at the initial key-loading facility or at the facility of initial deployment, the responsibility for the device falls to the acquiring financial institution and its agents⎯e.g., merchants and processors⎯and is covered by the operating rules of the …
Modified
p. 6
• Modular approvals, where a PIN entry device may be approved taking in consideration previously approved components.
• In modular approvals, where a PIN entry device may be approved taking in consideration previously approved components.
Modified
p. 6
• Offering evaluation modules (modular evaluation packages) that potentially optimize evaluation costs and time when laboratories are reviewing non-conventional architectures, conduct modular approvals or maintain existing approvals (changes in security components, etc.).
• In offering evaluation modules (modular evaluation packages) that potentially optimize both evaluation costs and time when laboratories review non-conventional architectures, conduct modular approvals, or maintain existing approvals (changes in security components, etc.).
Removed
p. 7
Publication Title Reference Retail Financial Services
• Requirements for Protection of Sensitive Payment Card Data Part 1: Using Encryption Methods Retail Financial Services
• Message Authentication Codes (MACs)
• Part 1: Mechanisms using a block cipher ISO 9797-1 Banking
• Key Management (Retail) ISO 11568 Banking
• Secure Cryptographic Devices (Retail) ISO 13491 Financial services -- Requirements for message authentication using symmetric techniques Information Technology
• Part 1: General ISO/IEC 18033-1 Information technology -- Security techniques -- Encryption algorithms -- Part 3: Block ciphers ISO/IEC 18033-3 Information Technology
• Requirements for Protection of Sensitive Payment Card Data Part 1: Using Encryption Methods Retail Financial Services
• Message Authentication Codes (MACs)
• Part 1: Mechanisms using a block cipher ISO 9797-1 Banking
• Key Management (Retail) ISO 11568 Banking
• Secure Cryptographic Devices (Retail) ISO 13491 Financial services -- Requirements for message authentication using symmetric techniques Information Technology
• Part 1: General ISO/IEC 18033-1 Information technology -- Security techniques -- Encryption algorithms -- Part 3: Block ciphers ISO/IEC 18033-3 Information Technology
Modified
p. 7
• Security techniques
• Security Techniques
Removed
p. 9
A See “Optional Use of Variables in the Identifier,” following page.
Modified
p. 9
Dedicated for PIN entry only Stand-alone POS terminal UPT (Vending, AFD, Kiosk) Other Encrypting PIN pad (for ATM, Vending, AFD or Kiosk) Secure (encrypting) card reader Secure (encrypting) card reader PIN Non-PED POI device Other secure component for PIN entry device Manufacturer*: Marketing Model Name/Number*:
Dedicated for PIN entry only Stand-alone POS terminal UPT (Vending, AFD, Kiosk) Other Encrypting PIN pad (for ATM, Vending, AFD, or Kiosk) Secure (encrypting) card reader Secure (encrypting) card reader PIN Non-PED POI device Other secure component for PIN entry device Manufacturer*: Marketing Model Name/Number*:
Modified
p. 9
Hardware Version Number*A: Use of “x” represents a request for field to be a variable 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Additional versions:
Hardware Version Number*A: Use of “x” represents a request for field to be a variable.
Modified
p. 9
Firmware/Software Version Number*: Use of “x” represents a request for field to be a variable 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Additional versions:
Firmware/Software Version Number*: Use of “x” represents a request for field to be a variable.
Modified
p. 9
* Fields marked with an asterisk (*) will be used in the PCI SSC Approved PIN Transaction Security Devices Approval List.
* Fields marked with an asterisk (*) will be used in the PCI SSC Approved PIN Transaction Security Devices Approval List. A See “Optional Use of Variables in the Identifier,” page 8.
Modified
p. 11
Note: The firmware version number may also be subject to the use of variables in a manner consistent with hardware version numbers. See the PCI PTS POI Testing and Approval Program Guide for more information.
Note: The firmware version number may also be subject to the use of variables in a manner consistent with hardware version numbers. See the PCI PTS Testing and Approval Program Guide for more information.
Modified
p. 15
Evaluation Module Requirements Set Remarks 1: Physical and Logical Requirements Physical and Logical Security The logical and physical requirements of POI devices 2: POS Terminal Integration POS Terminal Integration The PCI PTS POI approval framework is oriented to the evaluation of integrated PIN entry devices (i.e., device where PIN entry functionality is in a secure logical and physical perimeter).
Evaluation Module Requirements Set Remarks 1: Physical and Logical Requirements Physical and Logical Security The logical and physical requirements of POI devices 2: POS Terminal Integration POS Terminal Integration The PCI PTS POI approval framework is oriented to the evaluation of integrated PIN entry devices ⎯i.e., device where PIN entry functionality is in a secure logical and physical perimeter.
Modified
p. 16
Note: In the following requirements, the device under evaluation is referred to as the “device.” Number Description of Requirement Yes No N/A A1 The device uses tamper-detection and response mechanisms that cause it to become immediately inoperable and result in the automatic and immediate erasure of any sensitive data that may be stored in the device, such that it becomes infeasible to recover the sensitive data. These mechanisms protect against physical penetration of the device by means of (but not …
Note: In the following requirements, the device under evaluation is referred to as the “device.” Number Description of Requirement Yes No N/A A1 The device uses tamper-detection and response mechanisms that cause it to become immediately inoperable and results in the automatic and immediate erasure of any sensitive data that may be stored in the device, such that it becomes infeasible to recover the sensitive data. These mechanisms protect against physical penetration of the device by means of (but not …
Modified
p. 16
Keypads used for PIN entry require an attack potential of at least 26 per device for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader, as defined in Appendix B.
Keypads used for PIN entry require an attack potential of at least 26 per device for identification and initial exploitation, with a minimum of 13 for initial exploitation, exclusive of the IC card reader, as defined in Appendix B.
Modified
p. 16
Keypads used for manual PAN entry, but not PIN entry
•e.g., a non- PED
•require an attack potential of at least 16 per device for identification, with a minimum of 8 points for exploitation.B A3 The security of the device is not compromised by altering:
•e.g., a non- PED
•require an attack potential of at least 16 per device for identification, with a minimum of 8 points for exploitation.B A3 The security of the device is not compromised by altering:
Keypads used for manual PAN entry, but not PIN entry
•e.g., a non- PED
•require an attack potential of at least 16 per device for identification, with a minimum of 8 points for initial exploitation.B A3 The security of the device is not compromised by altering:
•e.g., a non- PED
•require an attack potential of at least 16 per device for identification, with a minimum of 8 points for initial exploitation.B A3 The security of the device is not compromised by altering:
Modified
p. 16
• Operational conditions (An example includes subjecting the device to temperatures or operating voltages outside the stated operating ranges.) A4 Sensitive functions or data are only used in the protected area(s) of the device. Sensitive data and functions dealing with sensitive data are protected from unauthorized modification without requiring an attack potential of at least 26 for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader, for identification and initial exploitation.B B …
• Operational conditions (An example includes subjecting the device to temperatures or operating voltages outside the stated operating ranges.) A4 Sensitive functions or data are only used in the protected area(s) of the device. Sensitive data and functions dealing with sensitive data are protected from unauthorized modification without requiring an attack potential of at least 26 for identification and initial exploitation, with a minimum of 13 for initial exploitation, exclusive of the IC card reader, for identification and initial exploitation.B …
Modified
p. 17
A8 The unauthorized alteration of prompts for non-PIN data entry into the PIN entry key pad such that PINs are compromised, i.e., by prompting for the PIN entry when the output is not encrypted, cannot occur without requiring an attack potential of at least 18 per device for identification and initial exploitation with a minimum of 9 for exploitation.C A9 The device provides a means to deter the visual observation of PIN values as they are being entered by the …
A8 The unauthorized alteration of prompts for non-PIN data entry into the PIN entry key pad such that PINs are compromised⎯i.e., by prompting for the PIN entry when the output is not encrypted⎯cannot occur without requiring an attack potential of at least 18 per device for identification and initial exploitation with a minimum of 9 for initial exploitation.C A9 The device provides a means to deter the visual observation of PIN values as they are being entered by the cardholder.
Modified
p. 18
A13 It is neither feasible to penetrate the ICC reader to make any additions, substitutions, or modifications to either the ICC reader’s hardware or software, in order to determine or modify any sensitive data, without requiring an attack potential of at least 20 for identification and initial exploitation, with a minimum of 10 for exploitation,D nor is it possible for both an IC card and any other foreign object to reside within the card- insertion slot.
A13 It is neither feasible to penetrate the ICC reader to make any additions, substitutions, or modifications to either the ICC reader’s hardware or software, in order to determine or modify any sensitive data, without requiring an attack potential of at least 20 for identification and initial exploitation, with a minimum of 10 for initial exploitation,D nor is it possible for both an IC card and any other foreign object to reside within the card-insertion slot.
Modified
p. 18
SCRPs shall require an attack potential of at least 26 for identification and initial exploitation, with a minimum of 13 for exploitation.D A14 The opening for the insertion of the IC card is in full view of the cardholder during card insertion so that any untoward obstructions or suspicious objects at the opening are detectable.
SCRPs shall require an attack potential of at least 26 for identification and initial exploitation, with a minimum of 13 for initial exploitation.D A14 The opening for the insertion of the IC card is in full view of the cardholder during card insertion so that any untoward obstructions or suspicious objects at the opening are detectable.
Modified
p. 19
• Software is only signed using a secure cryptographic device (e.g., smartcard) provided by the terminal vendor.
• Software is only signed using a secure cryptographic device⎯e.g., smartcard⎯provided by the terminal vendor.
Modified
p. 19
B3 The device never displays the entered PIN digits. Any array related to PIN entry displays only non-significant symbols, e.g., asterisks. If PIN entry is accompanied by audible tones, the tone for each entered PIN digit is indistinguishable from the tone for any other entered PIN digit.
B3 The device never displays the entered PIN digits. Any array related to PIN entry displays only non-significant symbols⎯e.g., asterisks. If PIN entry is accompanied by audible tones, the tone for each entered PIN digit is indistinguishable from the tone for any other entered PIN digit.
Modified
p. 19
B4 Sensitive data shall not be retained any longer, or used more often, than strictly necessary. Online PINs are encrypted within the device immediately after PIN entry is complete and has been signified as such by the cardholder, e.g., via pressing the enter button.
B4 Sensitive data shall not be retained any longer, or used more often, than strictly necessary. Online PINs are encrypted within the device immediately after PIN entry is complete and has been signified as such by the cardholder⎯e.g., via pressing the enter button.
Modified
p. 20
B6 To minimize the risks from unauthorized use of sensitive services, limits on the number of actions that can be performed, and a time limit imposed, after which the device is forced to return to its normal mode.
B6 To minimize the risks from unauthorized use of sensitive services, limits on the number of actions that can be performed and a time limit shall be imposed, after which the device is forced to return to its normal mode.
Modified
p. 20
B10 All account data shall be encrypted using only ANSI X9 or ISO- approved encryption algorithms (e.g., AES, TDES) and should use ANSI X9 or ISO-approved modes of operation.
B10 All account data shall be encrypted using only ANSI X9 or ISO- approved encryption algorithms⎯e.g., AES, TDES⎯and should use ANSI X9 or ISO-approved modes of operation.
Modified
p. 20
The device must enforce that PIN encryption, account data encryption, data-encryption keys and key-encipherment keys have different values.
The device must enforce that PIN encryption, account data encryption, data-encryption keys, and key-encipherment keys have different values.
Modified
p. 21
B15 All prompts for non-PIN data entry are under the control of the cryptographic unit of the device. If the prompts are stored inside the cryptographic unit, they cannot feasibly be altered without causing the erasure of the unit’s cryptographic keys. If the prompts are stored outside the cryptographic unit, cryptographic mechanisms must exist to ensure the authenticity and the proper use of the prompts and that modification of the prompts or improper use of the prompts is prevented.
B15 All prompts for non-PIN data entry are under the control of the cryptographic unit of the device. If the prompts are stored inside the cryptographic unit, they cannot feasibly be altered without causing the erasure of the unit’s cryptographic keys. If the prompts are stored outside the cryptographic unit, cryptographic mechanisms must exist to ensure the authenticity and the proper use of the prompts, and that modification of the prompts or improper use of the prompts is prevented.
Modified
p. 21
B16 If the device supports multiple applications, it must enforce the separation between applications. It must not be possible that one application interferes with or tampers with another application or the OS of the device including, but not limited to, modifying data objects belonging to another application or the OS.
B16 If the device supports multiple applications, it must enforce the separation between applications. It must not be possible that one application interferes with or tampers with another application or the OS of the device including, but not limited to, modifying data objects belonging to either another application or the OS.
Modified
p. 21
• That it is not possible for applications to be influenced by logical anomalies which could result in clear-text data being outputted whilst the terminal is in encrypting mode.
• That account data is not retained any longer, or used more often, than strictly necessary.
• That account data is not retained any longer, or used more often, than strictly necessary.
• That it is not possible for applications to be influenced by logical anomalies which could result in clear-text data being outputted while the terminal is in encrypting mode.
• That account data is not retained any longer, or used more often, than strictly necessary. • That SRED functions, where provided, are correctly implemented.
• That account data is not retained any longer, or used more often, than strictly necessary. • That SRED functions, where provided, are correctly implemented.
Modified
p. 22
• A plaintext PIN, the PIN block shall be enciphered from the device encrypting the PIN to the ICC reader (the ICC reader will then decipher the PIN for transmission in plaintext to the IC card) in accordance with ISO 9564.
• A clear-text PIN, the PIN block shall be enciphered from the device encrypting the PIN to the ICC reader (the ICC reader will then decipher the PIN for transmission in clear text to the IC card) in accordance with ISO 9564.
Modified
p. 22
• A plaintext PIN, then encipherment is not required if the PIN block is transmitted wholly through a protected environment (as defined in ISO 9564). If the plaintext PIN is transmitted to the ICC reader through an unprotected environment, the PIN block shall be enciphered in accordance with ISO 9564.
• A clear-text PIN, then encipherment is not required if the PIN block is transmitted wholly through a protected environment (as defined in ISO 9564). If the clear-text PIN is transmitted to the ICC reader through an unprotected environment, the PIN block shall be enciphered in accordance with ISO 9564.
Modified
p. 23
• Disclosure of the salt cannot occur without requiring an attack potential of at least 16 per device for identification and initial exploitation with a minimum of 8 for exploitation, as defined in Appendix B.
• Disclosure of the salt cannot occur without requiring an attack potential of at least 16 per device for identification and initial exploitation with a minimum of 8 for initial exploitation, as defined in Appendix B.
Modified
p. 24
An overlay attack must require an attack potential of at least 18 for identification and initial exploitation, with a minimum of 9 for exploitationE.
An overlay attack must require an attack potential of at least 18 for identification and initial exploitation, with a minimum of 9 for initial exploitationE.
Modified
p. 24
C2.2 The PIN entry POI terminal is equipped with mechanisms to prevent attacks aiming at retaining and stealing the payment card (e.g., Lebanese Loop attack).
C2.2 The PIN entry POI terminal is equipped with mechanisms to prevent attacks aiming at retaining and stealing the payment card⎯e.g., Lebanese Loop attack.
Modified
p. 25
C2.4 The POI (application) must enforce the correspondence between the display messages visible to the cardholder and the operating state (i.e., secure or non-secure mode) of the PIN entry device, e.g., by using cryptographic authentication.
C2.4 The POI (application) must enforce the correspondence between the display messages visible to the cardholder and the operating state ⎯i.e., secure or non-secure mode⎯of the PIN entry device⎯e.g., by using cryptographic authentication.
Modified
p. 25
If commands impacting the correspondence between the display messages and the operating state of the PIN entry device are received from an external device (e.g., a store controller), the commands enabling data entry must be authenticated.
If commands impacting the correspondence between the display messages and the operating state of the PIN entry device are received from an external device⎯e.g., a store controller⎯the commands enabling data entry must be authenticated.
Modified
p. 25
The alteration of the correspondence between the display messages visible to the cardholder and the operating state of the PIN entry device cannot occur without requiring an attack potential of at least 18 per POI for identification and initial exploitation with a minimum of 9 for exploitationF.
The alteration of the correspondence between the display messages visible to the cardholder and the operating state of the PIN entry device cannot occur without requiring an attack potential of at least 18 per POI for identification and initial exploitation with a minimum of 9 for initial exploitationF.
Modified
p. 25
C2.5 The PIN-accepting POI terminal must be equipped with only one payment card PIN-acceptance interface, e.g., a keyboard. If another interface is present which can be used as a keyboard, a mechanism must exist to prevent its use for PIN entry•e.g., it must not have numeric keys, or it is not possible to use it otherwise for numeric entry, or it is controlled in a manner consistent with B15.
C2.5 The PIN-accepting POI terminal must be equipped with only one payment card PIN-acceptance interface⎯e.g., a keyboard. If another interface is present which can be used as a keyboard, a mechanism must exist to prevent its use for PIN entry•e.g., it must not have numeric keys, or it is not possible to use it otherwise for numeric entry, or it is controlled in a manner consistent with B15.
Modified
p. 26
a) The key-management guidance is at the disposal of internal users and/or of application developers, system integrators, and end-users of the device.
a) The key-management guidance is at the disposal of internal users and/or application developers, system integrators, and end- users of the device.
Modified
p. 26
d) Key-management security guidance ensures secure use of keys and certificates, including certificate status (e.g., revoked), secure download, and roll-over of keys.
d) Key-management security guidance ensures secure use of keys and certificates, including certificate status ⎯e.g., revoked ⎯secure download, and roll-over of keys.
Modified
p. 27
c) Examples of appropriate algorithms and minimum key sizes are stated in Appendix D of the PCI PTS POI DTRs.
c) Examples of appropriate algorithms and minimum key sizes are stated in Appendix E of the PCI PTS POI DTRs.
Modified
p. 28
b) The device sets time limits for sessions and ensures that sessions are not left open for longer than necessary.
b) The device sets time limits for sessions and ensures that sessions are not left open longer than necessary.
Modified
p. 29
Note: In the following requirements, the device under evaluation is referred to as the “device.” The device manufacturer, subject to PCI payment brand site inspections, confirms the following. The PCI test laboratories will validate this information via documentation reviews, and by means of evidence that procedures are properly implemented and used. This information shall be included in the evaluation report to PCI.
Note: In the following requirements, the device under evaluation is referred to as the “device.” The device manufacturer, subject to Participating Payment Brand site inspections, confirms the following. The PCI test laboratories will validate this information via documentation reviews, and by means of evidence that procedures are properly implemented and used. This information shall be included in the evaluation report to PCI.
Modified
p. 29
E2 The firmware and any changes thereafter have been inspected and reviewed using a documented and auditable process, and certified as being free from hidden and unauthorized or undocumented functions.
E2 The firmware and any changes thereafter have been inspected and reviewed using a documented and auditable process and certified as being free from hidden and unauthorized or undocumented functions.
Modified
p. 29
E5 Production software (e.g., firmware) that is loaded to devices at the time of manufacture is transported, stored, and used under the principle of dual control, preventing unauthorized modifications and/or substitutions.
E5 Production software⎯e.g., firmware⎯that is loaded to devices at the time of manufacture is transported, stored, and used under the principle of dual control, preventing unauthorized modifications and/or substitutions.
Modified
p. 32
Note: In the following requirements, the device under evaluation is referred to as the “device.” The device manufacturer, subject to PCI payment brand site inspections, confirms the following. The PCI test laboratories will validate this information via documentation reviews and by means of evidence that procedures are properly implemented and used and this information shall be included in the evaluation report to PCI.
Note: In the following requirements, the device under evaluation is referred to as the “device.” The device manufacturer, subject to Participating Payment Brand site inspections, confirms the following. The PCI test laboratories will validate this information via documentation reviews and by means of evidence that procedures are properly implemented and used and that this information shall be included in the evaluation report to PCI.
Modified
p. 33
F8 The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:
F8 The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, for example:
Modified
p. 35
In full compliance with the standards set forth above in the Manufacturer Self-Assessment Form.
In full compliance with the standards set forth above in this document.
Modified
p. 35
Not in full compliance with the standards set forth above in the Manufacturer Self-Assessment Form as indicated in the attached Exception Form (Form C).
Not in full compliance with the standards set forth above in this document as indicated in the attached Exception Form (Form C).
Modified
p. 37
Feedback to cardholder Each time a device under evaluation implements any way of possibly giving feedback to the cardholder during its PIN-based transaction, it applies to this functionality. This includes but is not limited to auditory and visible feedback (i.e., displays).
Feedback to cardholder Each time a device under evaluation implements any way of possibly giving feedback to the cardholder during its PIN-based transaction, it applies to this functionality. This includes but is not limited to auditory and visible feedback⎯i.e., displays.
Modified
p. 37
Device is a module If the device under evaluation is designed to be integrated into equipment, it applies for “terminal is a module” functionality. Modules are also referred to as OEM equipment.
Modified
p. 37
Device is compound A device under evaluation is said to be compound whenever it incorporates one or more modules in order to cover one or several of the aforementioned functionalities. Being a compound device does not preclude the applicability of “terminal is a module” functionality. Both functionalities are independent.
Modified
p. 37
Implements Open Protocols A device under evaluation implements a TCP/IP stack and associated open protocols.
Modified
p. 38
In addition to other applicable requirements, devices implementing open protocols, for example Bluetooth, Wi-Fi and TLS, must be validated against the requirements noted in Implements Open Protocols. Devices implementing SRED must be validated against the requirements in Protects Account Data.
In addition to other applicable requirements, devices implementing open protocols⎯e.g., Bluetooth, Wi-Fi and TLS⎯must be validated against the requirements noted in Implements Open Protocols. Devices implementing SRED must be validated against the requirements in Protects Account Data.
Modified
p. 38
SCRP includes all Physical and Logical requirements except those specific to PIN entry, display prompt control, unattended usage, and use of magnetic-stripe readers. Note that unattended usage and magnetic-stripe reader requirements may still be applicable to SCRs, but SCRPs are not intended for those use cases.
SCRP includes all Physical and Logical requirements except those specific to PIN entry, display prompt control, and unattended usage.
Modified
p. 39
Non-Invasive Attacks − Determining Keys Analysis
• For SCRP applicable whenever reader handles PINs, either offline or online, and hasplaintext secret or private PIN-security-related cryptographic keys resident in the device.
• For SCRP applicable whenever reader handles PINs, either offline or online, and has
Non-Invasive Attacks − Determining Keys Analysis
• For SCRP applicable whenever reader handles PINs, either offline or online, and has clear-text secret or private PIN-security-related cryptographic keys resident in the device.
• For SCRP applicable whenever reader handles PINs, either offline or online, and has clear-text secret or private PIN-security-related cryptographic keys resident in the device.
Modified
p. 43 → 44
Note: Encrypted, truncated, masked and hashed PAN data (with salt) may be outputted outside of the device.
Note: Encrypted, truncated, masked, and hashed PAN data (with salt) may be outputted outside of the device.
Modified
p. 43 → 44
Active Erasure The intentional clearing of data from storage through a means other than simply removing power (e.g. zeroization, inverting power).
Active Erasure The intentional clearing of data from storage through a means other than simply removing power⎯e.g., zeroization, inverting power.
Removed
p. 44
Clear text See Plaintext.
Modified
p. 44 → 45
Commercial off-the- shelf (COTS) A mobile device (e.g., smartphone or tablet) that is designed for mass- market distribution and is not designed specifically for payment processing.
Commercial off-the- shelf (COTS) A mobile device⎯e.g., smartphone or tablet⎯that is designed for mass- market distribution and is not designed specifically for payment processing.
Modified
p. 44 → 45
A violation of the security of a system such that an unauthorized disclosure of sensitive information may have occurred. This includes the unauthorized disclosure, modification, substitution, or use of sensitive data (including plaintext cryptographic keys and other keying material).
A violation of the security of a system such that an unauthorized disclosure of sensitive information may have occurred. This includes the unauthorized disclosure, modification, substitution, or use of sensitive data (including clear-text cryptographic keys and other keying material).
Modified
p. 44 → 45
Cryptographic Key Component (Key Component) One of at least two parameters having the characteristics (for example, format, randomness) of a cryptographic key that is combined with one or more like parameters •for example, by means of modulo-2 addition
•to form a cryptographic key. Throughout this document, “key component” may be used interchangeably with “secret share” or key “fragment.” Data Encryption Algorithm (DEA) A published encryption algorithm used to protect critical information by enciphering data based upon a variable secret key. The …
•to form a cryptographic key. Throughout this document, “key component” may be used interchangeably with “secret share” or key “fragment.” Data Encryption Algorithm (DEA) A published encryption algorithm used to protect critical information by enciphering data based upon a variable secret key. The …
Cryptographic Key Component (Key Component) One of at least two parameters having the characteristics⎯e.g., format, randomness⎯of a cryptographic key that is combined with one or more like parameters •e.g., by means of modulo-2 addition
•to form a cryptographic key. Throughout this document, “key component” may be used interchangeably with “secret share” or key “fragment.” Data Encryption Algorithm (DEA) A published encryption algorithm used to protect critical information by enciphering data based upon a variable secret key. The Data Encryption Algorithm is …
•to form a cryptographic key. Throughout this document, “key component” may be used interchangeably with “secret share” or key “fragment.” Data Encryption Algorithm (DEA) A published encryption algorithm used to protect critical information by enciphering data based upon a variable secret key. The Data Encryption Algorithm is …
Modified
p. 45 → 46
Encrypt The (reversible) transformation of data by a cryptographic algorithm to produce ciphertext•i.e., the process of transforming plaintext into ciphertext to hide the information content of the data.
Encrypt The (reversible) transformation of data by a cryptographic algorithm to produce ciphertext•i.e., the process of transforming clear text into ciphertext to hide the information content of the data.
Modified
p. 45 → 46
Encrypted Key (Ciphertext Key) A cryptographic key that has been encrypted with a key-encrypting key, a PIN, or a password in order to disguise the value of the underlying plaintext key.
Encrypted Key (Ciphertext Key) A cryptographic key that has been encrypted with a key-encrypting key, a PIN, or a password in order to disguise the value of the underlying clear-text key.
Modified
p. 46 → 47
2) Collision-resistant: It is computationally infeasible to find any two distinct inputs (e.g., messages) that map to the same output.
2) Collision-resistant: It is computationally infeasible to find any two distinct inputs⎯e.g., messages⎯that map to the same output.
Modified
p. 47
• Holds one or more professional credentials applicable to the field, e.g., doctoral-level qualifications in a relevant discipline or government certification in cryptography by an authoritative body (e.g., NSA).
• Holds one or more professional credentials applicable to the field⎯e.g., doctoral-level qualifications in a relevant discipline or government certification in cryptography by an authoritative body⎯e.g., NSA.
Modified
p. 47
• Is recognized by his/her peers in the field (e.g., awarded the Fellow or Distinguished Fellow or similar professional recognition by an appropriate body, e.g., ACM, BCS, IEEE, IET, IACR).
• Is recognized by his/her peers in the field⎯e.g., awarded the Fellow or Distinguished Fellow or similar professional recognition by an appropriate body⎯e.g., ACM, BCS, IEEE, IET, IACR.
Modified
p. 47
Independence requires that the entity is not subject to control, restriction, modification, or limitation from a given outside source. Specifically, independence requires that a person, firm or corporation who holds itself out for employment as a cryptologist or similar expert to more than one client company is not a regular employee of that company, does not work exclusively for one company and where paid, is paid in each case assigned for time consumed and expenses incurred.
Independence requires that the entity is not subject to control, restriction, modification, or limitation from a given outside source. Specifically, independence requires that a person, firm, or corporation who holds itself out for employment as a cryptologist or similar expert to more than one client company is not a regular employee of that company, does not work exclusively for one company, and where paid, is paid in each case assigned for time consumed and expenses incurred.
Modified
p. 48
Key Deletion Process by which an unwanted key, and information from which the key may be reconstructed, is destroyed at its operational storage/use location.
Key Deletion Process by which an unwanted key, as well as information from which the key may be reconstructed, is destroyed at its operational storage/use location.
Modified
p. 48
Key Instance The occurrence of a key in one of its permissible forms, that is, plaintext key, key components and enciphered key.
Key Instance The occurrence of a key in one of its permissible forms, that is, clear-text key, key components, and enciphered key.
Modified
p. 48 → 49
Key Replacement Substitution of one key for another when the original key is known or suspected to be compromised or the end of its operational life is reached.
Key Replacement Substitution of one key for another when the original key is known or suspected to be compromised, or the end of its operational life is reached.
Modified
p. 49
Least Privilege In information security, computer science, and other fields, the principle of least privilege (also known as the principle of minimal privilege or the principle of least authority) requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user, or a program, depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose Manual Key Entry The entry of cryptographic keys …
Least Privilege In information security, computer science, and other fields, the principle of least privilege (also known as the principle of minimal privilege or the principle of least authority) requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user, or a program, depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.
Modified
p. 49
Masking Method of concealing a segment of data when displayed. At most the first six and last four digits of a PAN can be displayed by the device.
Masking Method of concealing a segment of data when displayed. At most, the first six and last four digits of a PAN can be displayed by the device.
Removed
p. 50
Plaintext The intelligible form of an encrypted text or of its elements.
Plaintext Key An unencrypted cryptographic key used in its current form.
Plaintext Key An unencrypted cryptographic key used in its current form.
Modified
p. 50
OEM PED A self-contained point-of-sale POI device containing a PIN pad, display and/or card reader, which requires integration into a final casing. Generally used in UPTs.
OEM PED A self-contained point-of-sale POI device containing a PIN pad, display, and/or card reader, which requires integration into a final casing. Generally used in UPTs.
Modified
p. 50
Opaque Impenetrable by light (i.e., light within the visible spectrum of wavelength range of 400nm to 750nm); neither transparent nor translucent within the visible spectrum.
Opaque Impenetrable by light⎯i.e., light within the visible spectrum of wavelength range of 400nm to 750nm⎯; neither transparent nor translucent within the visible spectrum.
Modified
p. 50
Overlay Any additional covering including a fake keypad, placed by fraudsters on top of a genuine PIN entry keypad and generally similar in shape and color. The placement of an overlay may also serve the purpose of concealing other attacks.
Overlay Any additional covering, including a fake keypad, placed by fraudsters on top of a genuine PIN entry keypad and generally similar in shape and color. The placement of an overlay may also serve the purpose of concealing other attacks.
Modified
p. 50 → 51
Point of Interaction (POI) An electronic-transaction-acceptance product. A POI consists of hardware and software and is hosted in acceptance equipment to enable a cardholder to perform a card transaction. Thereby the POI may be attended or unattended. POI transactions include IC, magnetic-stripe, and contactless payment card-based payment transactions.
Point of Interaction (POI) An electronic-transaction-acceptance product. A POI consists of hardware and software and is hosted in acceptance equipment to enable a cardholder to perform a card transaction. Thereby the POI may be attended or unattended. POI transactions include Integrated Circuit (IC) and magnetic- stripe contact cards, and contactless payment card-based payment transactions.
Modified
p. 51 → 52
With asymmetric cryptographic techniques, such as RSA, there are four elementary transformations: sign and verify for signature systems, and encipher and decipher for encipherment systems. The signature and the decipherment transformations are kept private by the owning entity, whereas the corresponding verification and encipherment transformations are published. There exist asymmetric cryptosystems (e.g. RSA) where the four elementary functions may be achieved by only two transformations: one private transformation suffices for both signing and decrypting messages, and one public transformation suffices …
With asymmetric cryptographic techniques, such as RSA, there are four elementary transformations: sign and verify for signature systems and encipher and decipher for encipherment systems. The signature and the decipherment transformations are kept private by the owning entity, whereas the corresponding verification and encipherment transformations are published. There exist asymmetric cryptosystems⎯e.g. RSA⎯where the four elementary functions may be achieved by only two transformations: one private transformation suffices for both signing and decrypting messages, and one public transformation suffices for both …
Modified
p. 52 → 53
Secure Controller A secure microprocessor or security protected microprocessor within the terminal, used to manage cardholder data amongst other functions.
Secure Controller A secure microprocessor or security protected microprocessor within the terminal, used to manage cardholder data among other functions.
Modified
p. 52 → 53
Secure Key Loader A self-contained unit that is capable of storing at least one plaintext or encrypted cryptographic key or key component that can be transferred, upon request, into a cryptographic module.
Secure Key Loader A self-contained unit that is capable of storing at least one clear-text or encrypted cryptographic key or key component that can be transferred, upon request, into a cryptographic module.
Modified
p. 53
Sensitive Authentication Data Security-related information (card validation codes/values, full track data from the magnetic stripe, magnetic-stripe image on the chip or elsewhere, PINs, and PIN blocks) used to authenticate cardholders, appearing in plaintext or otherwise unprotected form.
Sensitive Authentication Data Security-related information (card validation codes/values, full track data from the magnetic stripe, magnetic-stripe image on the chip or elsewhere, PINs, and PIN blocks) used to authenticate cardholders, appearing in clear text or otherwise unprotected form.
Modified
p. 53 → 54
SK Session key Split Knowledge A condition under which two or more entities separately have information (e.g., key components) that individually convey no knowledge of the resultant combined information (e.g., a cryptographic key).
SK Session key Split Knowledge A condition under which two or more entities separately have information⎯e.g., key components⎯that individually convey no knowledge of the resultant combined information⎯e.g., a cryptographic key.