Document Comparison
HSM_Security_Requirements_v3_Summary_of_Changes.pdf
→
PCI_HSM_Security_Requirements_v4_Summary_of_Changes.pdf
35% similar
5 → 5
Pages
1067 → 806
Words
6
Content Changes
Content Changes
6 content changes. 4 administrative changes (dates, page numbers) hidden.
Added
p. 3
Table 2: Summary of Changes Document and Requirements Change Type General Eliminated PCI Vendor Questionnaire. PCI laboratories will solicit information using proprietary methods that provide more efficient support for the gathering of that information.
Additional Guidance General Migrated as applicable technical FAQs into the Derived Test Requirements or the Device Testing and Approval Program Guide.
Additional Guidance SR General Added new module - Cloud Based HSMs as a Service - Multi-tenant Usage Security Requirements with the following sections:
• Cloud Physical Security Requirements
• Cloud Logical Security Requirements
• Cloud Provisioning / Management Security Requirements Requirement SR General Renamed Device Management Security Requirements module to Life Cycle Security Requirement SR General Added references to ANSI X9.42, ANSI X9.102, ANSI X9.142, ASC X9 TR 34, FIPS PUB 140-3 and ISO 20038.
Additional Guidance SR General Added reference to ‘Secure Environments’ as defined in ISO 13491-2 Additional Guidance SR General Updated references to account data encryption Requirement (HSM …
Additional Guidance General Migrated as applicable technical FAQs into the Derived Test Requirements or the Device Testing and Approval Program Guide.
Additional Guidance SR General Added new module - Cloud Based HSMs as a Service - Multi-tenant Usage Security Requirements with the following sections:
• Cloud Physical Security Requirements
• Cloud Logical Security Requirements
• Cloud Provisioning / Management Security Requirements Requirement SR General Renamed Device Management Security Requirements module to Life Cycle Security Requirement SR General Added references to ANSI X9.42, ANSI X9.102, ANSI X9.142, ASC X9 TR 34, FIPS PUB 140-3 and ISO 20038.
Additional Guidance SR General Added reference to ‘Secure Environments’ as defined in ISO 13491-2 Additional Guidance SR General Updated references to account data encryption Requirement (HSM …
Modified
p. 1
Payment Card Industry (PCI) PIN Transaction Security (PTS) Hardware Security Module (HSM) Summary of Requirements Changes from Version 2.0 to 3.0
Payment Card Industry (PCI) PIN Transaction Security (PTS) Hardware Security Module (HSM) Summary of Requirements Changes from Version 3.0 to 4.0
Modified
p. 2
Document Abbreviations Used Abbreviation Document Referenced SR / SRs PCI PTS HSM Modular Security Requirements DTR / DTRs PCI PTS HSM Modular Derived Test Requirements VQ PCI PTS HSM Modular Vendor Questionnaire
Document Abbreviations Used Abbreviation Document Referenced SR / SRs PCI PTS HSM Modular Security Requirements DTR / DTRs PCI PTS HSM Modular Derived Test Requirements
Removed
p. 3
Table 2: Summary of Changes Document and Requirements Change Type SR General, DTRs, and VQ Added approval classes for key-loading devices and HSM remote administration platforms, together with supporting requirements, test scripts, and vendor questions.
Requirement SR General Added references to ISO 9797-1, ISO 18033-1, ISO 18033- 5, NIST SP 800-38B, NIST SP 800-90A Revision 1, and NIST SP 800-131A Revision 1.
Additional Guidance SR A2 Eliminated requirement for Independent Security Mechanisms and added guidance to SR A-1 Requirement SR A3 Eliminated requirement for Response to Internal Access and added guidance to SR A-1 Requirement SR B1 Added allowance for continuous error checking as an option to running self-tests at least once per day Requirement SR B4 Added requirement that devices must support firmware updates Requirement SR B4.1 Added new requirement for the firmware to authenticate applications loaded into the device consistent with B4, including updates and configuration changes.
Requirement SR B8 Clarified …
Requirement SR General Added references to ISO 9797-1, ISO 18033-1, ISO 18033- 5, NIST SP 800-38B, NIST SP 800-90A Revision 1, and NIST SP 800-131A Revision 1.
Additional Guidance SR A2 Eliminated requirement for Independent Security Mechanisms and added guidance to SR A-1 Requirement SR A3 Eliminated requirement for Response to Internal Access and added guidance to SR A-1 Requirement SR B1 Added allowance for continuous error checking as an option to running self-tests at least once per day Requirement SR B4 Added requirement that devices must support firmware updates Requirement SR B4.1 Added new requirement for the firmware to authenticate applications loaded into the device consistent with B4, including updates and configuration changes.
Requirement SR B8 Clarified …
Removed
p. 4
• I8 and J1 The PCI test laboratories will now validate device management information via documentation reviews. Any variances to these requirements will be reported to PCI for review. However, this information will only be used for analysis at this time and will not impact whether a device receives an approval.
Requirement SR J1 Clarified the device must be protected from unauthorized modification with tamper detection characteristics and is not restricted to just tamper evidence Requirement Appendices A and B Added appendices to define applicability of requirements to approval classes for HSMs, key-loading devices, and remote administration platforms.
Additional Guidance DTRs Introduction Provided additional guidance for lab reporting criteria, including minimal contents of reports and minimal test activities.
Additional Guidance DTRs Module 1: Core Requirements
• Sections A, B, and C Significantly enhanced test scripts based on leveraging applicable information from POI V4 and to support new approval classes.
Requirement DTR A1 Eliminated ten hours …
Requirement SR J1 Clarified the device must be protected from unauthorized modification with tamper detection characteristics and is not restricted to just tamper evidence Requirement Appendices A and B Added appendices to define applicability of requirements to approval classes for HSMs, key-loading devices, and remote administration platforms.
Additional Guidance DTRs Introduction Provided additional guidance for lab reporting criteria, including minimal contents of reports and minimal test activities.
Additional Guidance DTRs Module 1: Core Requirements
• Sections A, B, and C Significantly enhanced test scripts based on leveraging applicable information from POI V4 and to support new approval classes.
Requirement DTR A1 Eliminated ten hours …
Removed
p. 5
Requirement DTR Sections D
• H Added to support new requirements for key-loading devices and remote administration platforms.
Requirement DTR Module 4: Device Management Security Requirements Added to support new requirement for the lab to validate this information via documentation reviews.
Requirement DTR I1 Added stipulation that approval of delta submissions is contingent on evidence of an ongoing change control and vulnerability management process.
Requirement DTR Appendix A Updated Attack Costing Potential Formulas to reflect more granular approach for attack times and expertise Additional Guidance DTR Appendix B Added new appendix detailing equipment classification for physical attack costing purposes for use with Appendix A Additional Guidance DTR Appendix C Updated information on the configuration and use of the STS tool.
Additional Guidance DTR Appendix D Updated guidance on the use of Diffie-Hellman. Additional Guidance DTR Appendix E Added new guidance for side channel analysis best practices Additional Guidance VQ Modifications and additions to reflect changes …
• H Added to support new requirements for key-loading devices and remote administration platforms.
Requirement DTR Module 4: Device Management Security Requirements Added to support new requirement for the lab to validate this information via documentation reviews.
Requirement DTR I1 Added stipulation that approval of delta submissions is contingent on evidence of an ongoing change control and vulnerability management process.
Requirement DTR Appendix A Updated Attack Costing Potential Formulas to reflect more granular approach for attack times and expertise Additional Guidance DTR Appendix B Added new appendix detailing equipment classification for physical attack costing purposes for use with Appendix A Additional Guidance DTR Appendix C Updated information on the configuration and use of the STS tool.
Additional Guidance DTR Appendix D Updated guidance on the use of Diffie-Hellman. Additional Guidance DTR Appendix E Added new guidance for side channel analysis best practices Additional Guidance VQ Modifications and additions to reflect changes …