Document Comparison
Point_of_Interaction_(POI)_Modular_Security_Requirements_Summary_of_Changes_v4.1.pdf
→
Point_of_Interaction_(POI)_Modular_Security_Requirements_Summary_of_Changes_v5.pdf
15% similar
7 → 4
Pages
1771 → 584
Words
11
Content Changes
Content Changes
11 content changes. 9 administrative changes (dates, page numbers) hidden.
Added
p. 1
Payment Card Industry (PCI) PIN Transaction Security (PTS) Point-of-Interaction (POI) Summary of Requirements Changes from Version 4.1 to 5.0
Added
p. 2
Document Abbreviations Used Abbreviation Document Referenced SR / SRs PCI PTS POI Modular Security Requirements DTR / DTRs PCI PTS POI Modular Derived Test Requirements VQ PCI PTS POI Modular Vendor Questionnaire
Note: The changes above do not include those that are corrections of grammar or typographical errors or other rephrasing of existing statements.
Note: The changes above do not include those that are corrections of grammar or typographical errors or other rephrasing of existing statements.
Added
p. 3
Table 2: Summary of Changes Document and Requirements Change Type SR General Added references to ISO 9797-1, ISO 18033-1, ISO 18033- 5, NIST SP 800-38B, NIST SP 800-90A Revision 1, and NIST SP 800-131A Revision 1.
Additional Guidance SR A2 Eliminated requirement for Independent Security Mechanisms and added guidance to SR A-1 Requirement SR B4 Added requirement that devices must support firmware updates Requirement SR K1.2 Eliminated requirement for Independent Security Mechanisms and added guidance to SR K-1.1 Requirement SR K12 Added requirement that devices must support firmware updates Requirement SR M1 Clarified the device must be protected from unauthorized modification with tamper detection characteristics and is not restricted to just tamper evidence Requirement DTRs Introduction Provided additional guidance for lab reporting criteria, including minimal contents of reports and minimal test activities.
Additional Guidance DTRs
• All Sections Enhanced robustness of test scripts throughout Requirement DTR A1 Eliminated ten hours minimum for exploitation …
Additional Guidance SR A2 Eliminated requirement for Independent Security Mechanisms and added guidance to SR A-1 Requirement SR B4 Added requirement that devices must support firmware updates Requirement SR K1.2 Eliminated requirement for Independent Security Mechanisms and added guidance to SR K-1.1 Requirement SR K12 Added requirement that devices must support firmware updates Requirement SR M1 Clarified the device must be protected from unauthorized modification with tamper detection characteristics and is not restricted to just tamper evidence Requirement DTRs Introduction Provided additional guidance for lab reporting criteria, including minimal contents of reports and minimal test activities.
Additional Guidance DTRs
• All Sections Enhanced robustness of test scripts throughout Requirement DTR A1 Eliminated ten hours minimum for exploitation …
Removed
p. 2
PCI PTS POI Summary of Changes This document provides a summary of changes to the PTS POI version 4.0 family of documents from version 4.0 to version 4.1. Section 1 below provides an overview of the types of changes included in Version 4.1. Section 2 on the following pages provides a summary of material changes.
Modified
p. 2
Table 1: Change Types Change Type Definition Additional Guidance Explanation, definition, and/or instruction to increase understanding or provide further information or guidance on a particular topic.
Modified
p. 2
Requirement Change To reflect the addition or modification or deletion of requirements.
Requirement Change To reflect the addition modification, deletion, or restructuring of requirements
Removed
p. 3
Section 2: Summary of Material Changes Document and Reference Change Type Security Requirements SR General Modified PTS Approval Modules Selection Flow Diagram to clarify that EPPs may go through the Integration, Open Protocols, and SRED modules.
Additional Guidance SR General Further clarified that:
Device management in this document covers up to the point of initial key loading for payment transaction keys (keys used by the acquiring organization) or at the facility of initial deployment; and Subsequent to receipt of the device at the initial key-loading facility or at the facility of initial deployment, the responsibility for the device falls to the acquiring financial institution and its agents (e.g., merchants and processors).
Additional Guidance SR B4.2 Added a new Core requirement for the vendor to provide a documented and defined process for how signing mechanisms must be implemented for the signing of display prompts and application code in order to be authenticated.
Requirement …
Additional Guidance SR General Further clarified that:
Device management in this document covers up to the point of initial key loading for payment transaction keys (keys used by the acquiring organization) or at the facility of initial deployment; and Subsequent to receipt of the device at the initial key-loading facility or at the facility of initial deployment, the responsibility for the device falls to the acquiring financial institution and its agents (e.g., merchants and processors).
Additional Guidance SR B4.2 Added a new Core requirement for the vendor to provide a documented and defined process for how signing mechanisms must be implemented for the signing of display prompts and application code in order to be authenticated.
Requirement …
Removed
p. 4
Clarified that device passwords/PINs, where required for use, must be a minimum of seven characters or equivalent strength.
Additional Guidance DTR A1 Added additional guidance: The device is protected against penetration by including features that detect any feasible attempts to tamper with the device and cause immediate erasure of all cryptographic keys and sensitive data when such an attempt is detected.
Removal of the case or the opening, whether authorized or unauthorized, of any access entry to the device’s internal components causes the automatic and immediate erasure of the cryptographic keys stored within the device.
Any tamper-detection/key-erasure mechanisms function even in the absence of applied power.
Additional Guidance DTR A10 Added additional guidance:
This requirement applies to components that are used for PIN entry or handle the PIN, such as an ICCR.
OEM products that are “bolt-on” or drop-in type modules (e.g., OEM PEDs) for UPTs do not require removal protections if the module provides a …
Additional Guidance DTR A1 Added additional guidance: The device is protected against penetration by including features that detect any feasible attempts to tamper with the device and cause immediate erasure of all cryptographic keys and sensitive data when such an attempt is detected.
Removal of the case or the opening, whether authorized or unauthorized, of any access entry to the device’s internal components causes the automatic and immediate erasure of the cryptographic keys stored within the device.
Any tamper-detection/key-erasure mechanisms function even in the absence of applied power.
Additional Guidance DTR A10 Added additional guidance:
This requirement applies to components that are used for PIN entry or handle the PIN, such as an ICCR.
OEM products that are “bolt-on” or drop-in type modules (e.g., OEM PEDs) for UPTs do not require removal protections if the module provides a …
Removed
p. 5
For OP and SRED applications, failing in a secure manner involves disabling of all CHD processing functionality.
Additional Guidance DTR B2 Added additional detailed steps to validate device protections against buffer overflow and to execute a vulnerability assessment for all device interfaces and associated communication methods similar to what is performed for open protocols.
Additional Guidance DTR B3 Changed guidance from a should to a shall:
The vendor shall implement measures to help prevent common exploits of "buffer overflow" and similar vulnerabilities.
Additional Guidance DTR B4 Added additional guidance:
The firmware and application version numbers must be shown on the display or printed during startup or on request. This includes all modules addressed in testing, including SRED and Open Protocols. This shall be illustrated by photographic evidence provided in the evaluation report.
Additional Guidance DTR B10 Added additional guidance for characteristics that prevent or significantly deter the use of the device for exhaustive PIN determination, stating:
The …
Additional Guidance DTR B2 Added additional detailed steps to validate device protections against buffer overflow and to execute a vulnerability assessment for all device interfaces and associated communication methods similar to what is performed for open protocols.
Additional Guidance DTR B3 Changed guidance from a should to a shall:
The vendor shall implement measures to help prevent common exploits of "buffer overflow" and similar vulnerabilities.
Additional Guidance DTR B4 Added additional guidance:
The firmware and application version numbers must be shown on the display or printed during startup or on request. This includes all modules addressed in testing, including SRED and Open Protocols. This shall be illustrated by photographic evidence provided in the evaluation report.
Additional Guidance DTR B10 Added additional guidance for characteristics that prevent or significantly deter the use of the device for exhaustive PIN determination, stating:
The …
Removed
p. 6
Requirement Change DTR I4 Mutual authentication is now provided for instead of only server authentication.
Requirement Change DTR K3 Added additional guidance:
If the encrypted keys are protected in accordance with the minimum key sizes and parameters for the key-encipherment algorithm(s) used as stipulated in Appendix D, they do not need to be considered.
Additional Guidance DTR K4 Added additional guidance:
The independent expert must be qualified via a combination of education, training, and experience in cryptology to provide objective technical evaluations that are independent of any ties to vendors and special interests. Independent expert qualifications are further defined in the glossary.
For devices that allow the enablement (turning on) or the disablement (turning off) of SRED functionality, the enablement must result in the firmware revision number changing and the device providing visual indication of SRED enablement. Disablement must result in the firmware revision number reverting and the device no longer providing visual indication of …
Requirement Change DTR K3 Added additional guidance:
If the encrypted keys are protected in accordance with the minimum key sizes and parameters for the key-encipherment algorithm(s) used as stipulated in Appendix D, they do not need to be considered.
Additional Guidance DTR K4 Added additional guidance:
The independent expert must be qualified via a combination of education, training, and experience in cryptology to provide objective technical evaluations that are independent of any ties to vendors and special interests. Independent expert qualifications are further defined in the glossary.
For devices that allow the enablement (turning on) or the disablement (turning off) of SRED functionality, the enablement must result in the firmware revision number changing and the device providing visual indication of SRED enablement. Disablement must result in the firmware revision number reverting and the device no longer providing visual indication of …
Removed
p. 7
Impacts all requirements in Sections L and M.
Requirement Change DTR
• Appendix C: Configuration and Use of the sts Tool Updated sts guidance. Additional Guidance Vendor Questionnaire VQs Sections L and M
• Device Management New questions in support of new DTRs for Device Management Security Requirements.
Additional Guidance; Requirement Change
Requirement Change DTR
• Appendix C: Configuration and Use of the sts Tool Updated sts guidance. Additional Guidance Vendor Questionnaire VQs Sections L and M
• Device Management New questions in support of new DTRs for Device Management Security Requirements.
Additional Guidance; Requirement Change