lifecycle post mfg wpv30 june2011
TRANSCRIPT
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
1/37
LifecycleofaSecure
PaymentDevice:
PostManufacturing
Stage
Revision3.0
June6,2011
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
2/37
LifecycleofaSecurePaymentDevice:PostManufacturingStage Page2June6,201Revision3.0
TableofContents
1 Overview ..............................................................................................................................................52 Abbreviations.......................................................................................................................................6 3 Glossary ................................................................................................................................................ 74 StageDefinition ...................................................................................................................................85 StagesandProcesses ..........................................................................................................................96 Assumptions....................................................................................................................................... 107 StageSecurityObjectives................................................................................................................... 118 ApplicableStandards..........................................................................................................................12
8.1 ApplicableStandardsSecurityRequirements...........................................................................13 8.1.1 PINTransactionsSecurityVersion2.1,January2009............................................................13
8.1.1.1 DeviceManagementRequirements ..............................................................................138.1.2 ISO134911 ............................................................................................................................. 148.1.3 ISO134912:AnnexA.Physical,LogicalandDeviceManagementCharacteristicsCommontoAllSecureCryptographicDevices................................................................................................. 14
8.1.3.1 DeviceManagement...................................................................................................... 148.1.3.2 DeviceProtectionbetweenManufacturerandPreuse .............................................. 14
8.1.4 AnnexB.DeviceswithPINEntryFunctionality .....................................................................158.1.4.1 PINentryDeviceProtectionduringInitialKeyLoading................................................15
8.1.5 AnnexE.DeviceswithKeyGenerationFunctionality ...........................................................158.1.5.1 LogicalSecurityCharacteristics......................................................................................15
8.1.6 AnnexF.DeviceswithKeyTransferandLoadingFunctionality.......................................... 168.1.6.1 LogicalSecurityCharacteristics..................................................................................... 168.1.6.2 DeviceManagement...................................................................................................... 16
8.1.7 AnnexGDeviceswithDigitalSignatureFunctionality......................................................... 188.1.7.1 DeviceManagement...................................................................................................... 18
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
3/37
LifecycleofaSecurePaymentDevice:PostManufacturingStage Page3June6,201Revision3.0
8.1.8 AnnexHCategorizationofEnvironments............................................................................ 188.1.8.1 MinimallyControlledEnvironments.............................................................................. 188.1.8.2 ControlledEnvironments............................................................................................... 198.1.8.3 SecureEnvironments.....................................................................................................20
8.1.9 PINSecurity&TR39................................................................................................................21 8.1.9.1 PINSecurity ..................................................................................................................... 21
8.2 SecurityRequirementsAnalysis................................................................................................ 228.2.1 SecurityRequirementsStandardsMap................................................................................ 22
9 LifecycleProtectionMethods ........................................................................................................... 239.1 ISO134911Requirements.......................................................................................................... 239.2 ProtectionMethodsAnalysis .................................................................................................... 23
10 AuditandControlPrinciples..............................................................................................................24 10.1 PTS ..............................................................................................................................................2410.2 ISO134911 .................................................................................................................................. 2410.3 ISO134912.................................................................................................................................. 25
11 Stakeholders ......................................................................................................................................2612 SPVACertificationRequirements...................................................................................................... 27
12.1 SPVASecurityRequirements..................................................................................................... 2712.1.1 SPVA_Post_Manufacturing_Sec_Req_1............................................................................... 2712.1.2 SPVA_Post_Manufacturing_Sec_Req_2............................................................................... 2712.1.3 SPVA_Post_Manufacturing_Sec_Req_3...............................................................................28 12.1.4 SPVA_Post_Manufacturing_Sec_Req_4 ..............................................................................2812.1.5 SPVA_Post_Manufacturing_Sec_Req_5...............................................................................28 12.1.6 SPVA_General_Req................................................................................................................28
12.2 SPVAAuditControlObjectives..................................................................................................29 12.2.1 SPVA_Post_Manufacturing_Aud_Req_1 .............................................................................. 29
13 Rationale ............................................................................................................................................30
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
4/37
LifecycleofaSecurePaymentDevice:PostManufacturingStage Page4June6,201Revision3.0
13.1 SPVASecurityRequirementsMap ............................................................................................3013.2 SPVASecurityRequirementsCoverage.....................................................................................31
13.2.1 SecurePostManufacturingProcesses ..................................................................................3113.2.2 InitialKeyLoading...................................................................................................................31 13.2.3 SecureDeliveryandStorage ..................................................................................................3113.2.4 IncidentManagement ............................................................................................................3113.2.5 SPVAAUDIT.............................................................................................................................31
13.3 SPVAKeyloadingScenarios...................................................................................................... 3214 References .........................................................................................................................................3415 Appendix1SPVARequirementsUpdatedAfterPCIPTSv3.(April2010) ....................................... 35
15.1 Introduction ............................................................................................................................... 3515.2 PCIPTSv3Requirements:ManufacturerandInitialKeyLoading........................................... 3515.3 SPVASecurityRequirementsMap ............................................................................................3615.4 SPVACertificationRequirements..............................................................................................36
15.4.1 SPVA_Post_Manufacturing_Sec_Req_2(Refined)..............................................................36 15.4.2 SPVA_Post_Manufacturing_Sec_Req_5(NewRequirement) ............................................ 37
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
5/37
LifecycleofaSecurePaymentDevice:PostManufacturingStage Page5June6,201Revision3.0
1 OverviewThemainpurposeofthisdocumentistodefinetheSPVAsecurityrequirementsapplicable
forthePostManufacturingStageofapaymentdevice.
SPVAhasperformedathoroughanalysisofthecurrentsecuritystandardsforPOSterminals
duringthePostManufacturingStage. Thepurposeoftheanalysiswastoestimateany
potentialmissinginformationinsecuritystandardsinordertoachievefullcoverageas
mandatedbytheSPVAboard. Thisdocumentrepresentstheconclusionsofthiseffort.
ThisdocumentonlyfocusesonthePostManufacturingStagewhichcoversthemomentthe
terminalhasbeenproducedtothemomenttheterminalisloadedwiththecustomerkeys.
TheSPVATWG2hadthefollowingmemberswhoworkedonthisdocument:
Chairman:RobertoFaans,Hypercom. Othermembersinclude:
OrganizationRepresented Representative
Hypercom Isabel BardsleyGarcia
Ingenico Yann Levenez
MustangMicroSystems,Inc Tami Harris
MustangMicroSystems,Inc. Tom Galloway
PAXSZ Alex DongDQ
Verifone Doug Manchester
Verifone Sadiq Mohammed
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
6/37
LifecycleofaSecurePaymentDevice:PostManufacturingStage Page6June6,201Revision3.0
2 AbbreviationsDES AsymmetricmethodknownasDataEncryptionStandard
ISO InternationalStandardsOrganization
NIST NationalInstituteofStandardsandTechnology
PCI PaymentCardIndustry
PCISSC PCISecurityStandardsCouncil
PD PaymentDevice
PED POSPINEntryDevice
PTS PINTransactionSecurity
POS PointofSale
RSA AnasymmetricmethoddevelopedbyRivestShamirandAdelman
SP AdocumentfromNIST:SpecialPublication
SPVA SecurePOSVendorAlliance
TDEA AmethodusingDESthreetimesinsequence(i.e.encryptdecryptencrypt)usingtwo
orthreekeysconformingtotheTripleDataEncryptionAlgorithm.
TWG TechnicalWorkingGroup
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
7/37
LifecycleofaSecurePaymentDevice:PostManufacturingStage Page7June6,201Revision3.0
3 GlossaryAsymmetricKeys Comprisedofapairofkeys,onePublic,theotherPrivate,thatareused
toaccomplishsecurecommunicationandauthentication. RSAalgorithmuses
asymmetrickeys.MoreinformationcanbefoundinX9.24part2.
CustomerKey AkeyunderCustomermanagementresponsibility,usuallyanacquirer.
InitialKeyThekeythatisusedtoassuretheintegrityandauthenticityofthePDduringthe
fullLifecycleofaSecurePaymentDevice.
InitialKeyloading ProcessforCustomerKeyloading.
PaymentDevicetrustestablishment Aprocesstoestablishthetrustrelationshipbetween
PDandPDmanufacturer.
SymmetricKeys Comprisedofasinglekeythatissharedbetweentwoormorepartiesand
keptsecret(i.e.private)usedtoaccomplishsecurecommunications.Symmetrickeys
canbeusedformessageauthentication(i.e.MAC). DESandTDEAaretwoofseveral
symmetrickeymethods.MoreinformationcanbefoundinX9.24part1.
VendorKeys AsymmetricKeypairsunderPDmanufacturermanagementresponsibility.
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
8/37
LifecycleofaSecurePaymentDevice:PostManufacturingStage Page8June6,201Revision3.0
4 StageDefinitionThePostManufacturingStageconsistsofthetransportandstorageofthePDuptoand
includinginitialkeyloading(ISO134911:2007)
Thisistheonlystagecoveredinthisdocument. Otherstagesaredefinedinthefollowing
tablewiththedifferenttransitionphases. Someoftheseotherstageswillbestudiedin
futureSPVAdocumentsforSecureDeviceLifecycleManagement.
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
9/37
LifecycleofaSecurePaymentDevice:PostManufacturingStage Page9June6,201Revision3.0
5 StagesandProcessesLifecycle
Phase
Transition
Event
Processes
PreManufacturing
Manufacturing Completion
PostManufacturing
InitialKeyLoading
SecureManufacturingProcesses
PreUse InstallationSecureDeploymentProcesses
Use Removal
SecureinField
Device
ManagementProcesses
Reinstallation
Repair,upgradeDeviceRepairProcesses
SecureDevelopment&Updated
IncidentManagementProcesses
SecureDeliveryandStorag
eProcesses
PostUse
Destruction
SecureDevice
DecommissioningProcesses
Audit
Main
SecureDeliveryandStorageProcesses
PaymentDeviceSecuritizationProcess(InitialKeyLoading)
Related
IncidentManagementProcess
AuditProcess
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
10/37
LifecycleofaSecurePaymentDevice:PostManufacturingStage Page10June6,201Revision3.0
6 AssumptionsThemomentthePaymentDevice(PD)reachesthePostManufacturingStage,itmustbeable
toperform,atminimum,thefollowingfunctions:
Triggeranactionasaresponsetotamperdetection
Loadauthenticatedsoftware
Inotherwords,thePDisaworkingdevicewiththeabilitytorunauthenticatedsoftwareand
thesecuritymechanismsthatarerequiredtoprovidearesponsetotamperdetection.
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
11/37
LifecycleofaSecurePaymentDevice:PostManufacturingStage Page11June6,201Revision3.0
7 StageSecurityObjectives
Confidentiality
Integrity
Availabilit
y
Accounta
bility
Authentic
ity
repudiation
SecurePostManufacturingProcesses
InitialKeyLoading
SecureDeliveryandStorage
IncidentManagementProcesses
Confidentiality:Sensitiveinformationisnotdisclosedtounauthorizedindividuals,
entities,orprocesses.[ISO180282:2006]
Integrity:Safeguardingtheaccuracyandcompletenessofassets.[ISO/IECISO13335
1:2004][ISO27001:2005][ISO133351:2004]
Accountability:Actionsofanentitymaybetraceduniquelytotheentity.[ISO7498
2:1989]
Authenticity:Authentic,trustworthy,orgenuine.
Nonrepudiation:Providesassuranceoftheintegrityandoriginofdatainsuchaway
thattheintegrityandorigincanbeverifiedbyathirdpartyashavingoriginatedfrom
aspecificentityinpossessionoftheprivatekeyoftheclaimedsignatory.[NIST
SP80057:2007]
Availability:Accessibleanduseableupondemandbyanauthorizedentity.[ISO/IEC
ISO133351:2004][ISO180282:2006][ISO27001:2005][ISO133351:2004]
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
12/37
LifecycleofaSecurePaymentDevice:PostManufacturingStage Page12June6,201Revision3.0
8 ApplicableStandardsThemainstandardsthatareappliedtothisstageoftheprocessare
definedasfollows:
PaymentCardIndustry(PCI)POSPINEntryDeviceSecurity
Requirements(PTS1)Version2.1January2009:
Thisdocumentisonlyconcernedwiththedevicemanagementfor
pointofsalePEDsuptothepointofinitialkeyloading.Subsequentto
receiptofthedeviceattheinitialkeyloadingfacility,theacquiring
financialinstitutionanditsagents(e.g.,merchantsandprocessors)
areresponsibleforthedeviceandarecoveredbytheoperatingrules
oftheAssociationsandthePCIPINSecurityRequirements.ISO
13491
1:
2007
Banking
Secure
cryptographic
devices
(retail)
Concepts,requirementsandevaluationmethods:
ISO13491describesboththephysicalandlogicalcharacteristicsand
themanagementofthesecurecryptographicdevicesusedtoprotect
messages,cryptographickeysandothersensitiveinformationusedin
aretailfinancialservicesenvironment.
ThispartofISO13491hastwoprimarypurposes:
Tostatetherequirementsconcerningboththeoperationalcharacteristicsof
SCDsandthemanagementofsuchdevicesthroughoutallstagesoftheir
lifecycle,and
Tostandardizethemethodologyforverifyingcompliancewiththose
requirements.
ISO134912:2000Banking Securitycompliancechecklistsfor
devicesusedinmagneticstripecardsystems:
ThispartofISO13491specifiesthechecklistsusedtoevaluatesecure
cryptographicdevices(SCDs)incorporatingcryptographicprocesses,
asspecifiedinISO9564,ISO9807andISO11568,inamagneticstripe
cardenvironment.ItdoesnotspecifychecklistsforSCDsusedinanintegratedcircuitcard(ICC)environment.
1PTS(PINTransactionSecurity) formerPCI PED
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
13/37
LifecycleofaSecurePaymentDevice:PostManufacturingStage Page13June6,201Revision3.0
PCIPINSecurityRequirementsVersion2.0January2008(Visa):
Thisdocumentcontainsacompletesetofrequirementsforthe
securemanagement,processingandtransmissionofPersonal
IdentificationNumber(PIN)dataduringonlineandofflinepayment
card
transaction
processing
at
ATMs,
and
attended
and
unattended
pointofsale(POS)terminals.
ANSIX9TR392009.TG3RetailFinancialServicesCompliance
GuidelinePart1: PINSecurityandKeyManagement:
ThePINSecurityComplianceGuidelineisintendedtobeusedto
implementauniformsecurityreview.Thisguidelinepresents
mandatoryControlObjectivesrelatingtogeneralproceduresand
controls.ThemandatoryControlObjectivesarebasedon
requirementssetforthinthefollowing:
X9.812003Part1:(PersonalIdentificationNumber(PIN)ManagementandSecurity)
X9.2412004(RetailFinancialServicesSymmetricKeyManagement,Part1:Using
SymmetricTechniques)
X9.24Part2:2006(RetailFinancialServicesSymmetricKeyManagement,Part2:
UsingAsymmetricTechniquesforDistributionofSymmetricKeys).
8.1 ApplicableStandardsSecurityRequirements8.1.1 PINTransactionsSecurityVersion2.1,January2009
8.1.1.1 DeviceManagementRequirementsDescriptionofRequirement
F1ThePEDisshippedfromthemanufacturersfacilitytotheinitialkeyloadingfacilityandstoredinrouteunderauditablecontrolsthatcanaccountforthelocationofeveryPEDateverypointintime.
F2Proceduresareinplacetotransferaccountabilityforthedevicefromthemanufacturertotheinitialkeyloadingfacility.
F3
Whileintransitfromthemanufacturersfacilitytotheinitialkeyloadingfacility,thedeviceis:
Shippedandstoredintamperevidentpackaging;and/or
Shippedandstoredcontainingasecretthatisimmediatelyandautomaticallyerasedifanyphysicalorfunctionalalterationtothedeviceisattempted,thatcanbeverifiedbytheinitialkeyloadingfacility,butthatcannotfeasiblybedeterminedbyunauthorizedpersonnel.
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
14/37
LifecycleofaSecurePaymentDevice:PostManufacturingStage Page14June6,201Revision3.0
8.1.2 ISO134911
No. DescriptionofRequirement
Untilaninitialkeyhasbeenloaded,itisnecessarytodetectacompromisebutnottopreventit.
Ifacompromiseisdetected,itisonlynecessarytoensurethatkeysarenotinjectedintothedeviceanditisnotplacedinserviceuntilalleffectsofthecompromisehavebeeneliminatedfromit.
8.1.3 ISO134912:AnnexA.Physical,LogicalandDeviceManagementCharacteristicsCommonto
AllSecureCryptographicDevices
8.1.3.1 DeviceManagementNo. Securitycompliancestatement
A32
For
audit
and
control
purposes,
the
identity
of
the
device
(e.g.
its
serial
number)canbedetermined,eitherbyexternaltamperevidentmarkingorlabeling,orbyacommandthatcausesthedevicetoreturnitsidentityviatheinterfaceorviathedisplay.
A36 Ifadevicedoesnotyetcontainasecretcryptographickeyandthereisanattackonadevice,oradeviceisstolen,thenproceduresareinplacetopreventthesubstitutionoftheattackedorstolendeviceforalegitimatedevicethatdoesnotyetcontainasecretcryptographickey.
A37 Ifnosensitivestateexistsinthedevice,theloadingofplaintextkeyswillbeperformedunderdualcontrol.
8.1.3.2 DeviceProtectionbetweenManufacturerandPreuseNo. Securitycompliancestatement
A40 Thetransfermechanismsbywhichplaintextkeys,keycomponentsorpasswordsareenteredintothedeviceareprotectedand/orinspectedsoastopreventanytypeofmonitoringthatcouldresultintheunauthorizeddisclosureofanycomponentorpassword.
A41 Subsequenttomanufacturingandpriortoshipment,thedeviceisstoredinaprotectedareaorsealedwithintamperevidentpackagingtopreventundetectedunauthorizedaccesstoit.
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
15/37
LifecycleofaSecurePaymentDevice:PostManufacturingStage Page15June6,201Revision3.0
No. Securitycompliancestatement
A42 Thedeviceisshippedintamperevidentpackaging,andinspectedtodetectunauthorizedaccesstoit;or
beforeadeviceisloadedwithcryptographickeys,itiscloselyinspectedbyqualifiedstafftoensurethatithasnotbeensubjectto
anyphysicalorfunctionalmodification;or
thedeviceisdeliveredwithsecretinformationthatiserasediftamperingisdetectedtoenabletheusertoascertainthatthedeviceisgenuineandnotcompromised.
NOTE:Oneexampleofsuchinformationistheprivatekeyofanasymmetrickeypair,withthepublickeyofthedevicesignedbyaprivatekeyknownonlytothesupplier.
A43 Thedeviceisloadedwithinitialkey(s)inacontrolledmanneronlywhenthereisreasonableassurancethatthedevicehasnotbeensubjecttounauthorizedphysicalorfunctionalmodification.
8.1.4 AnnexB.DeviceswithPINEntryFunctionality
8.1.4.1 PINentryDeviceProtectionduringInitialKeyLoadingNo. Securitycompliancestatement
B20 ArepairedPINentrydeviceisnotreloadedwiththeoriginalkey(exceptbychance).
B21 Automatedtechniquesareused,ormanualproceduresareinplaceandarefollowed,toensureeachPINentrydeviceisgivenatleastone
statistically
unique
key
unknown
to
any
person
and
never
previously
given(exceptbychance)toanyotherPINentry
8.1.5 AnnexE.DeviceswithKeyGenerationFunctionality
8.1.5.1 LogicalSecurityCharacteristicsNo. Securitycompliancestatement
E2 Thedeviceskeymanagementfunctionsaredesignedsothatnodisclosureofanykeyispossiblewithoutcollusionbetweentrustedindividuals.Specifically:
thedevice'shighestlevelkeysaremanuallyloadedasatleasttwocomponentsunderdualcontrol;
anyfunctionusedtoinputoroutputkeycomponentsdoesnotoperateuntilatleasttwodifferentpasswordshavebeenentered.
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
16/37
LifecycleofaSecurePaymentDevice:PostManufacturingStage Page16June6,201Revision3.0
No. Securitycompliancestatement
E3 Thedevicedecomposesanactualkeyintokeycomponentsinsuchawaythatnoactivebitofthekeycouldbedeterminedwithouttheknowledgeofallcomponents.
Forexample,thecomponentsareexclusiveor'edtogethertoformthe
key.
E4 KeygenerationmethodscomplywithISO11568.
E5 Eachcalltoobtainageneratedkeyyieldsadifferent,statisticallyuniquekey(exceptbychance).
8.1.6 AnnexF.DeviceswithKeyTransferandLoadingFunctionality
8.1.6.1 LogicalSecurityCharacteristicsNo. Securitycompliancestatement
F2 Encipheredprivatekeysareprotectedagainstkeysubstitutionandmodification.
F3 Thedevice'skeymanagementfunctionsaredesignedsothatnodisclosureofanykeyispossiblewithoutcollusionbetweentrustedindividuals.Specifically:
thedevice'shighestlevelkeysaremanuallyloadedasatleasttwocomponents;
anyfunctionusedtoinputoroutputkeycomponents,exceptforthedevice'scomponents.
8.1.6.2 DeviceManagementNo. Securitycompliancestatement
F9 Thetransfermechanismsbywhichkeys,componentsorpasswordsaretransferredintooroutofthedeviceareprotectedand/orinspectedsoastopreventanytypeofmonitoringthatcouldresultintheunauthorizeddisclosureofanykeys,componentsorpasswords.
F14 Controlsareinplacetodetecttheunauthorizedremovalofthedevicefrom,anditsunauthorizedreplacementbackinto,itsauthorizedlocation.
F15
The
device
is
loaded
with
a
key
component
under
the
direct
supervisionofapersonwhoisallowedaccesstothiscomponent,andonlywhenthereisreasonableassurancethatthereisnobugorotherdisclosingmechanismonthepaththatthekeycomponenttraversesfromthekeygenerationdevicetothetransportdeviceitself.
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
17/37
LifecycleofaSecurePaymentDevice:PostManufacturingStage Page17June6,201Revision3.0
No. Securitycompliancestatement
F16 Ifthedevicecontainsaplaintextkeycomponent,thedeviceiseitherunderthecontinuoussupervisionofapersonwhoisallowedaccesstothiscomponent(andwhoisawareofhis/herresponsibilitiestoensurethesecrecyofthiscomponent),orelseislockedorsealedinasecurity
containerthatcannotfeasiblybeopenedwithoutdetectionbyanyoneotherthanthosewhoareallowedaccesstothecomponent.
F17 Thedeviceisusedtoinjectacomponentintoacryptographicdeviceonlyunderthedirectsupervisionofapersonwhoisallowedaccesstothiscomponent,andonlywhenthereisreasonableassurancethatthereisnobugorotherdisclosingmechanismonthepaththatthekeycomponenttraversesfromthekeytransportdevicetothecryptographicdevice.
F18 Thetransferofakeytoanothersecurecryptographicdeviceuseseither:
asecurecommunicationspath,or asecurekeytransferdevice,or
asecurecryptographicpath,or
iscarriedoutinasecureenvironment.
F19 Nopersonwithknowledgeoforaccesstooneofthepasswordsorphysicalkeysrequiredtooutputakeyfromthedevicehasknowledgeoforaccesstoanyothersuchpasswordorphysicalkeyofthisdevice.
F20 Thedeviceisloadedwithaplaintextkeyonlyunderthedirectsupervisionofatleasttwoauthorizedpeople,bothofwhomensurethatthereisnobugorotherdisclosingmechanismonthepaththat
thekeytraversesfromthekeygenerationdevicetothekeytransportdeviceitself.
F21 Thedeviceisusedtoinjectaplaintextkeyintoacryptographicdeviceonlyunderthedirectsupervisionofatleasttwoauthorizedpeople,bothofwhomensurethatthereisnobugorotherdisclosingmechanismonthepaththatthekeytraversesfromthekeytransportdevicetothecryptographicdevice
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
18/37
LifecycleofaSecurePaymentDevice:PostManufacturingStage Page18June6,201Revision3.0
No. Securitycompliancestatement
F22 Functionalityneededtoimport,export,ortransfercryptographickeysfromexternalsourcesensuresthatthekeysareinoneormoreofthefollowingforms:
encipheredunderthepropervariantofasymmetrickey
enciphermentkey;
encipheredundertheasymmetricpublickeyoftherecipient;
encipheredwithanimportkeybeingspecificallyenabledforalimitedtimeandlimitednumberoffunctioncalls;
inputunderdualormultiplecontrolthroughthesecureoperatorinterface,incomponentssuchthatfullknowledgeofallbutonecomponentgivesnousableinformationonanybitofthecryptographickey;
publickeysareenteredunderdualcontrolorencipheredundertheappropriatekeyorsignedasrequiredtoensureauthenticity.
8.1.7 AnnexGDeviceswithDigitalSignatureFunctionality
8.1.7.1 DeviceManagementNo. Securitycompliancestatement
G1 Ifnonrepudiationisclaimedthen:
theasymmetricprivateandpublickeypairisgeneratedwithinthedigitalsignaturedevice;and
theasymmetricprivatekeyisnotexportedoutsidetheoriginaldigitalsignaturedeviceforanyreason,includingbackupand
archivalpurposes.
G2 Forauditandcontrolpurposes,thebindingbetweenthepublickeyandtheidentityoftheowneroftheprivatekeyisreadilydeterminedbyuseof:
publickeycertificates,wherethepublickeycertificatewasobtainedfromanauthorizedcertificateauthority,or
publickeycertificatesandappropriatecertificatemanagementprocedures,or
otherequivalentmechanismstoirrefutablydeterminetheidentityoftheownerofthecorrespondingprivatekey.
8.1.8 AnnexHCategorizationofEnvironments
8.1.8.1 MinimallyControlledEnvironmentsNo. Securitycompliancestatement
H1 Authorizedaccessisrestrictedbyphysicallocksorsupervisedaccesspointstoauthorizedstaff,andpersonsaccompaniedbyauthorized
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
19/37
LifecycleofaSecurePaymentDevice:PostManufacturingStage Page19June6,201Revision3.0
No. Securitycompliancestatementstaff.
H2 Theenvironmentprovidesfacilitiesforsecurefasteningofdeviceswithlockablefasteningmechanisms,ifsuchdevicesaretobeinstalled.
H3
Aminimally
controlled
environment
shall
remain
intact
until
all
keys
and
othersecretdatastoredindeviceswithintheenvironmentaredestroyedoruntilallsuchdevicesareremovedfromtheenvironment.
8.1.8.2 ControlledEnvironmentsNo. Securitycompliancestatement
H4 Authorizedaccessisrestrictedbyphysicallocksandcontinuallysupervisedaccesspointstoauthorizedstaff,andpersonsaccompaniedbyauthorizedstaff.
H5 Anyaccessbyotherthanauthorizedstaffislogged,andthelog
securelykeptandperiodicallyaudited.
H6 Thedevicesareeither:
infullviewatalltimesofatleasttwostaffmemberswhohavebeeninstructedtocheckthedevicesforsignsofattacksorpresenceofanyotherpersonsatthedevices;or
inviewofavideocamera(throughaclosedvideosystem)beingmonitoredatleastonceeveryX/2min,orwhenevermovementclosetothedevicesisautomaticallydetected;bypersonswhohavebeenspecificallytaskedwithcheckingthedevicesforsignsofattacks.
NOTE:ThetimeX/2minishalfthetimeXminwhichisthetimeestimatedtosuccessfullypenetratetheequipmentinorderto:
makeanyadditions,substitutions,ormodifications(e.g.theinstallationofabug)tothehardwareorsoftwareofthedevice;or
determineormodifyanysensitiveinformation(e.g.PINs,accesscodes,andcryptographickeys),andthensubsequentlyreinstallthedevice,withoutrequiringspecializedskillsandequipmentnotgenerallyavailable,andwithoutdamagingthedevicesoseverelythatthedamagewouldhaveahighprobabilityofdetection.
H7 Therearenoentryorexitpointsforpeopleorequipmentexceptfor
continuallysupervised
access
points,
e.g.
watched
by
guards
who
have
beeninstructednottopermitanyimportorexportofequipmentwithoutwrittenauthorizationidentifyingtheequipment,signedbyanauthorizedpersonotherthanthepersonmovingtheequipment.
H8 Itisnotfeasibletogainunauthorizedaccesstothecontrolledenvironment,orimportorexportequipment,fromunderthefloororfromabovetheceiling.
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
20/37
LifecycleofaSecurePaymentDevice:PostManufacturingStage Page20June6,201Revision3.0
8.1.8.3 SecureEnvironmentsNo. Securitycompliancestatement
H9 Authorizedaccessisrestrictedbyphysicallocksandcontinuallysupervisedaccesspointstopairsofauthorizedstaffandpersonsaccompaniedbypairsofauthorizedstaff.Accesspointsthatarenot
supervisedarelockedandalarmed,sothatanyentryorexitcausesinterventionbyguards.
H10 Anynonauthorizedperson(s)requiringaccesstothesecureenvironmentwillbesupervisedatalltimesbyatleasttwoauthorizedpersonswhilstinthesecureenvironment.
H11 Allaccessestothesecureenvironmentarelogged,andthelogsecurelykeptandperiodicallyaudited.
H12 Allpossibleaccesspointstothesecureenvironmentareeither:
infullviewatalltimesofatleasttwoauthorizedstaffmemberswhohavebeeninstructedtocheckthedevicesforsignsofattacks;or
inviewofavideocamera(throughaclosedvideosystem)coupledwithcircuitrythatautomaticallyraisesanalarmwhenevermovementclosetothedevicesisdetectedortamperdetectioncircuitryisactivated.Evenwhennoalarmisraised,thecameraismonitoredatleastonceevery10min.Theimagesarewatchedbypersonswhohavebeenspecificallytaskedwithcheckingthesecureenvironmentforsignsofattacks.
H13 Therearenoentryorexitpointsforpeopleorequipmentexceptforcontinuallysupervisedaccesspoints,watchedbyguardswhohave
beeninstructednottopermitanyimportorexportofequipmentwithoutwrittenauthorizationidentifyingtheequipment,signedbyanauthorizedpersonotherthanthepersonmovingtheequipment.
H14 Ifthesecureenvironmentisimplementedasasecuredroom,thenthedevice(s)inthesecureenvironmentareinviewofavideocamera(throughaclosedvideosystem)coupledwithcircuitrythatautomaticallyraisesanalarmwhenevermovementclosetothedevicesisdetectedortamperdetectioncircuitryisactivated.Evenwhennoalarmisraised,thecameraismonitoredatleastonceevery10min.Theimagesarewatchedbypersonswhohavebeenspecificallytaskedwithcheckingthesecureenvironmentforsignsofattacks.
H15 Thesecureenvironmentprovidesatmostlimitedopportunityforconcealmentofactivityandforthestorageoftoolsandotherequipment
H16 Asecureenvironmentremainssuchuntilallkeysandothersecretdatastoredindeviceswithintheenvironmentaredestroyedoruntilallsuchdevicesareremovedfromtheenvironment
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
21/37
LifecycleofaSecurePaymentDevice:PostManufacturingStage Page21June6,201Revision3.0
No. Securitycompliancestatement
H17 Thesecureenvironmentcontainseither:
boththedeviceanditshost,andtherearecontrolsontheenvironmentwhichpreventthedevicefrombeingconnectedtoanyunauthorizeddevice,andonthehosttoensurethatexhaustive
attacks(onPINs),usinglegitimatefunctioncalls,arenotfeasible;or
thedevicealone,whichcontainssecuritymechanismsthatprotectagainstexhaustiveattacks.
8.1.9 PINSecurity&TR39
ThecommitteehasmappedPINSecurityandTR39requirementsconcludethatboth
standardsareconsistent. RefertoAppendix1SPVARequirementsUpdatedAfterPCIPTSv3.
(April2010)beginningonpage35foracopyofthismap.Tofacilitatethereadingofthis
document,
PIN
Security
Objectives
definition
will
be
used.
8.1.9.1 PINSecurityNo. Securitycompliancestatement
1 PINsusedintransactionsgovernedbytheserequirementsareprocessedusingequipmentandmethodologiesthatensuretheyarekeptsecure.
3 Keysareconveyedortransmittedinasecuremanner.
4 KeyloadingtohostsandPINentrydevicesishandledinasecuremanner.
5 Keysareusedinamannerthatpreventsordetectstheirunauthorizedusage.
6 Keysareadministeredinasecuremanner
7 EquipmentusedtoprocessPINsandkeysismanagedinasecuremanner
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
22/37
LifecycleofaSecurePaymentDevice:PostManufacturingStage Page22June6,201Revision3.0
8.2 SecurityRequirementsAnalysis8.2.1 SecurityRequirementsStandardsMap
PTS
ISO
13491:1
ISO
13491:2
PIN
Security
F1
A41
F2 A32
A36
F3 A42
7.3.2 A43 7
A37 4
A40/F9 4
B20/E5 5
B21 5
E2/F3/F19 6/7
E4 1
F2 5/4/7
F15 7
F16 3/4
F17 4
F18 3
F20 3/4
F21 3/4
F22 3
G1 2
G2 4
H1H22 7
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
23/37
LifecycleofaSecurePaymentDevice:PostManufacturingStage Page23June6,201Revision3.0
9 LifecycleProtectionMethods9.1 ISO134911Requirements
Duringthisphase,auditingandcontrolproceduresshallbeimplementedwhichhave
ahighprobabilityofpreventingordetectingtheunauthorizedalterationofthe
deviceorthereplacementofthedevicewithacounterfeitsubstitute.
Whichevermethodofkeygenerationisused,keyloadingshallbeperformedinsuch
awaythatthesecretorprivatekeycannotbedeterminedwithoutcollusion.
Immediatelypriortoinitialkeyloading,thereshallbeassurancethatthedevicehas
notbeensubjecttounauthorizedmodificationorsubstitution.Thismaybe
accomplishedby:
Testingand/orinspectionofthedevice;
Auditingandcontrolofthedevicepostmanufacture,orsubsequenttothemost
recenttestingand/orinspectionofthedevice;
Confirmationoftheexistencewithinthedeviceofsecretdatabythe
manufacturerforthesolepurposeofconfirmingthelegitimacyofthedevice.
Devicemanagementshallprovidedetectionoftheftorunauthorizedremovalofthe
device.
9.2
Protection
Methods
Analysis
UnlikeISO134911,PTSdoesnotmakeanydistinctionsbetweenrequirementsandprotection
methodsthatmaybeusedtoprotectthedeviceduringitslifecyclephases.
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
24/37
LifecycleofaSecurePaymentDevice:PostManufacturingStage Page24June6,201Revision3.0
10 AuditandControlPrinciples10.1 PTS
PEDSecurityRequirements(managedbyPCISSC)areprimarilyconcernedwithdevice
characteristicsimpactingthesecurityofthePINEntryDeviceusedbythecardholderduringa
financialtransaction.Therequirementsalsoincludedevicemanagementuptothepointof
initialkeyloading,buttheevaluationprocessonlyaddressesdevicecharacteristics.
ThevendorisrequiredtobecompliantwiththePTSmanagementrequirements,butthePTS
doesnotdefineanyDerivedTestRequirement(DTR)forPDmanagementrequirements.
10.2 ISO134911ISO134911proposessomerecommendationstoallowsecuritystakeholderstocoverthePOS
securityauditandcontrolinPostManufacturingstage.
Auditingandcontrolproceduresshallbeimplementedwhichhaveahighprobabilityof
preventingordetectingtheunauthorizedalterationofthedeviceorthereplacementofthe
devicewithacounterfeitsubstitute.
Anddefinesthreeevaluationmethods: informal,semiformalandformal.
Ariskassessmentshallbeundertakenasanaidinchoosingwhichmethodologyis
appropriate.
InformalandsemiformalmethodscanusethechecklistsincludedintheISO134912.
No. Procedure
PostManufacturingStage
1 Oneormorepartiesresponsibleforthedevice. Mandatory
2 Carefulscreeningof,orcontrolover,personnelwithaccesstoadevicedesignedforuseinacontrolledenvironment
Mandatory
3 Carefulscreeningof,orcontrolover,personnelwithaccesstoadevicedesignedforuseinaminimallycontrolledenvironment
Mandatory
5
Control
mechanisms
or
sealing
of
the
device
in
counterfeit
resistant,
tamperevidentpackagingtopreventundetectedaccesstothedevice Mandatory
6 Preparationanduseofauditchecklists Mandatory
7 Verificationthatauditchecklistsarefilledoutaccurately,onatimelybasis,andbyqualifiedpersonnel
Recommended
8 KeymanagementproceduresimplementedasspecifiedintheappropriateInternationalStandard
Mandatory
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
25/37
LifecycleofaSecurePaymentDevice:PostManufacturingStage Page25June6,201Revision3.0
No. Procedure
PostManufacturingStage
9 Accuratetrackingofeachdevice,bymeansofcomputerizedormanuallywrittenrecords
Mandatory
11 Controlofthedistributionofdevicedocumentation Recommended
13 Documentedreportingprocedurestocausetimelydetectionofadevicethathasbeenremovedwithoutauthorizationfromstorageorfromitsoperationallocation,orthathasdisappearedwhileintransit
Mandatory
19 Controloverthemaintenanceprocessinorderthattheconfidentialityofthedevicedesigncharacteristicsismaintained
Mandatory/Recommended
Secureenvironments: Asecureenvironmentprovidesanoutershellofprotectionaroundan
insecuredevice
and
must
be
significantly
more
secure
than
a
controlled
environment.
It
can
bearoomdesignedandbuiltforthisspecificpurposeoritcouldbeasafeorasecure
cabinet.Whateverformthesecureenvironmenttakes,onlypersonswithauthorizedaccess
tothedeviceshallhaveaccesstothesecureenvironment.Asecureenvironmentisoften
locatedwithinacontrolledenvironment.
Controlledenvironments:Acontrolledenvironmentissimilartonormalcomputerrooms
wherethereareaccesscontrols,allowingaccessonlytoauthorizedpersonnel.Acontrolled
environment,however,hasmorestringentaccesscontrolsandbothitsinteriorandthe
entrancesareundersurveillance.
Minimallycontrolled
environments:Theserequirementsaimtodetectanattack,ortheft,
withinagivenmaximumperiodoftime.
Uncontrolledenvironments:Therearenosecurityrequirementsforuncontrolled
environments.
10.3 ISO134912AnnexAtoHofthisstandardprovidesachecklistdefiningtheminimumevaluationforuse
withallevaluationstoassesstheacceptabilityofcryptographicequipment.
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
26/37
LifecycleofaSecurePaymentDevice:PostManufacturingStage Page26June6,201Revision3.0
11 StakeholdersVendors: PDvendorsmaybeimpactedbyensuringthattherequiredmechanismstoprovidesecurity
duringthisphaseasdefinedinthisdocumentareimplemented.
Manufacturers EMS. (ElectronicManufacturingServices.):Thesecompaniesmaybeimpacted
bysupportinganddeployingthesecuritymechanismsasdefinedbyPDVendorsinordertocomply
withthesecurityrequirementsdefinedinthisdocument.
LogisticCompanies:Thesecompaniesmaybeimpactedbysupportinganddeployingthesecurity
mechanismstoguaranteetheintegrityandaccountabilityofthePDduringthestorageandtransport
stepsofthisstage.
KeyInjectionServiceProviders:Thesecompaniesactinginbehalfofacquirersmaybeimpactedby
supportinganddeployingthesecuritymechanismstocomplywiththesecurityrequirementsdefined
inthisdocumentforthekeyloadingprocess.
Acquirers:ThesecompaniesastheKeySchemeAuthoritymaybeimpactedbysupervisingtheKey
InjectionServiceProvidersobservanceofthesecurityrequirementsdefinedinthisdocumentforthe
keyloadingprocess.
Auditors: ThesecompaniesmaybeimpactedinordertoestablishtestplansaccordingtoSPVA
recommendationsandtoauditanyPDmanagementactivityperformedbyanactorwhoisinterested
injoiningSPVAalliance.
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
27/37
LifecycleofaSecurePaymentDevice:PostManufacturingStage Page27June6,201Revision3.0
12 SPVACertificationRequirements12.1 SPVASecurityRequirements12.1.1 SPVA_Post_Manufacturing_Sec_Req_1
SPVARequirementsDefinition:Asecuritymanagementsystemshallbedefinedand
implementedforsecurestorageandtransportactivities.
SPVARecommendedImplementation:Thesecuritymanagementsystemshalldefinethe
plansandprocedurestoenforcethatthestorageandtransportactivitiesareimplementedin
compliancewiththeISO28000:2007Specificationforsecuritymanagementsystemsforthe
supplychain.
12.1.2 SPVA_Post_Manufacturing_Sec_Req_2
SPVARequirements
Definition:
Documentedproceduresexistandarefollowedtoensure
thattransferofaccountabilityforthedevicefromthemanufacturertotheinitialkeyloading
facilityarecompleted.
Therearefourobjectivesundertheaccountabilityrequirement:
Identification:TheprocessusedtorecognizeanindividualPD.
Authentication:TheprocessusedtovalidatetheclaimedidentityofthePD.
Nonrepudiation: Theprocessofensuringthatapartyinadisputecannotorrefute
thevalidityoftheassumptionofaPDresponsibility.(Ownershipchange.)
Lostdetectionandprevention.
Traceability:Auditinformationshallbeselectivelykeptandprotectedsothatactions
affectingsecuritycanbetracedtoeachPD.
SPVARecommendedImplementation:Accountablerecordsshallbemaintainedthatindicate
thelocationandstatusofeachdevice.Theaccountablepartyshallbeidentifiedbythese
records.Whendevicesaretransferredtoanotherorganization,anotherpartybecomes
accountableforthedevices.Therefore,therecordsatboththeoriginatingandreceiving
organizationshallidentifythedevicesandindicatethedateofthetransfer,theorganization
to/fromwhichthetransferwasmade.
Thereshallbesomemeansofconfirmingthataccountabilityhasbeenacceptedbythe
receivingorganizationandthenameofthepartythatispresentlyaccountableforthe
transferreddevicesshallbeincludedintherecordsofthetransferringorganization.
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
28/37
LifecycleofaSecurePaymentDevice:PostManufacturingStage Page28June6,201Revision3.0
12.1.3 SPVA_Post_Manufacturing_Sec_Req_3
SPVARequirementsDefinition: AsecuremechanismthatprovidesPDauthenticationshall
beestablishedduringpostmanufacturingprocesses.
SPVARecommendedImplementation:ThePDauthenticationmechanismshallbebasedon
anasymmetrickeypairbasedonaPublicKeyInfrastructure. ThePDmanufacturershall
providetheappropriatedinformationandsecuritymechanismtovalidatetheauthenticity
andintegrityofthePD.
12.1.4 SPVA_Post_Manufacturing_Sec_Req_4
SPVARequirementsDefinition: Documentedproceduresexistandarefollowedto
implementandoperateaKeyManagementInfrastructuretosupporttheenforcementofkey
managementpracticesforgenerationand/oracquisition,distribution,protection,anduse
(destruction)ofkeyingmaterialnecessarytoensurethePDauthenticity,integrityand
(operability)undertheKeySchemeAuthority.
SPVARecommendedImplementation:TheKeyManagementInfrastructureshalldefinethe
plansandprocedurestoenforcethattheKeyManagementactivities,speciallytheKey
Loadingprocess,areimplementedincompliancewiththeANSIX9TR392009andPIN
SecurityRequirementsVersion2.0.
12.1.5 SPVA_Post_Manufacturing_Sec_Req_5
SPVARequirementsDefinition: Theorganizationshallestablish,implementandmaintain
appropriateplansandprocedurestoidentifyandrespondtosecurityincidents.
SPVARecommendedImplementation:Theplansandproceduresshalldefinethestepsthat
personnelshallusetoensurethatsecurityincidentsareidentified,contained,investigated,
andremedied.Theplansandproceduresalsoshallprovideaprocessfordocumentation,
appropriatereportinginternallyandexternally,andcommunicationsothatorganizational
learningoccurs.Finally,theplansandproceduresshallestablishresponsibilityand
accountabilityforallstepsintheprocessofaddressingsecurityincidents.
Theorganizationshallperiodicallyreviewtheeffectivenessofitsemergencypreparedness,
responseandsecurityrecoveryplansandprocedures,inparticularaftertheoccurrenceof
incidentsoremergencysituationscausedbysecuritybreachesandthreats.Theorganization
shallperiodicallytesttheseplansandprocedureswhereverpracticable.
12.1.6 SPVA_General_Req
SPVARequirementsDefinition:Whereanorganizationchoosestooutsourceanyprocess
thataffectsconformitywiththeserequirements,theorganizationshallensurethatsuch
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
29/37
LifecycleofaSecurePaymentDevice:PostManufacturingStage Page29June6,201Revision3.0
processesarecontrolled.Thenecessarycontrolsandresponsibilitiesofsuchoutsourced
processesshallbeidentified.
SPVARecommendedImplementation: Therisksassociatedwithoutsourcingshallbe
managedthroughtheimpositionofsuitablecontrols,comprisingacombinationoflegal,
physical,logical,proceduralandmanagerialcontrols.
TheorganizationshallperiodicallyaudittheoutsourcerscompliancewiththeSPVASecurity
Requirements,orshallemployamutuallyagreedindependentthirdpartyauditorforthis
purpose.
12.2 SPVAAuditControlObjectives12.2.1 SPVA_Post_Manufacturing_Aud_Req_1
SPVARequirementsDefinition:Theorganizationshallestablish,implementandmaintaina
securityauditprogramandshallinsurethatauditsofthesecuritysystemarecarriedoutat
plannedintervals.
SPVARecommendedImplementation:Theauditprogram,includinganyschedule,shallbe
basedontheresultsofthreatandriskassessmentsoftheorganizationsactivities,andthe
resultsofpreviousaudits.Theauditproceduresshallcoverthescope,frequency,
methodologiesandcompetencies,aswellastheresponsibilitiesandrequirementsfor
conductingauditsandreportingresults.Wherepossible,auditsshallbeconductedby
personnelindependent2ofthosehavingdirectresponsibilityfortheactivitybeingexamined.
TheauditprogramshallincludethefollowingAuditcriteria:
TheAuditcriteriaforPDstorageandtransportactivitiesshallbeatleastin
compliancewiththeISO28000:2007Specificationforsecuritymanagementsystems
forthesupplychain.
TheAuditcriteriafortheKeyManagementprocessesshallbeatleastincompliance
withX9TR392009andPINSecurityRequirementsVersion2.0
2NOTE: The phrase personnel independent does not necessarily mean personnel external to the organization.
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
30/37
LifecycleofaSecurePaymentDevice:PostManufacturingStage Page30June6,201Revision3.0
13 Rationale13.1 SPVASecurityRequirementsMap
SPVA PTS ISO13491:1 ISO
13491:2 PIN
Security
F1Post_Manufacturing_Sec_Req_1
A41
F2 A32Post_Manufacturing_Sec_Req_2
A36
Post_Manufacturing_Sec_Req_3 F3 A42
Post_Manufacturing_Sec_Req_4 7.3.2 A43 7A37
4
A40/F9 4
B20/E5 5
B21 5
E2/F3/F19 6/7
E4 1
F2 5/4/7
F15 7
F16 3/4
F17 4
F18 3
F20 3/4
F21 3/4
F22 3
G1 2
G2 4
Post_Manufacturing_Sec_Req_5
H1H22 7
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
31/37
LifecycleofaSecurePaymentDevice:PostManufacturingStage Page31June6,201Revision3.0
13.2 SPVASecurityRequirementsCoverage13.2.1 SecurePostManufacturingProcesses
Integrity:CoveredbySPVA_Post_Manufacturing_Req_2.
Accountability:CoveredbySPVA_Post_Manufacturing_Req_2.
13.2.2 InitialKeyLoading
Confidentiality:CoveredbySPVA_Post_Manufacturing_Req_4.
Integrity:CoveredbySPVA_Post_Manufacturing_Req_2,
SPVA_Post_Manufacturing_Req_3andSPVA_Post_Manufacturing_Req_4.
Accountability:CoveredbySPVA_Post_Manufacturing_Req_4and
SPVA_Post_Manufacturing_Req_4..
Authenticity:CoveredbySPVA_Post_Manufacturing_Req_3.
Nonrepudiation:CoveredbySPVA_Post_Manufacturing_Req_4.
13.2.3 SecureDeliveryandStorage
Authenticity:CoveredbySPVA_Post_Manufacturing_Req_1.
Nonrepudiation:CoveredbySPVA_Post_Manufacturing_Req_1.
13.2.4 IncidentManagement
Confidentiality: CoveredbySPVA_Post_Manufacturing_Req_5.
Integrity:CoveredbySPVA_Post_Manufacturing_Req_5.
Accountability:CoveredbySPVA_Post_Manufacturing_Req_5.
Authenticity:CoveredbySPVA_Post_Manufacturing_Req_5.
13.2.5 SPVAAUDIT
Preventingordetecting:SPVA_Post_Manufacturing_Aud_Req_1
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
32/37
LifecycleofaSecurePaymentDevice:PostManufacturingStage Page32June6,201Revision3.0
13.3 SPVAKeyloadingScenariosTherearetwoscenariosforkeyloading. InbothscenariostheInitialKeyisloadedatthe
pointofmanufacturingincompliancewithrequirement
SPVA_Post_Manufacturing_Sec_Req_4.
ThetwoscenariosdifferinthelocationtheCustomerkeysareloaded. InthesecondscenariotheCustomerkeysareloadedundertheCustomersresponsibility.
InbothscenariostheCustomerkeysmustbeloadedincompliancewith
SPVA_Post_Manufacturing_Sec_Req_4.
Forthesecondscenario,itisappropriatetodiscussthekeymanagementprocessasbeing
bothnecessaryandsufficient.TheInitialkeyisnecessarytoinsuretheintegrityand
authenticityofthePDduringitscompletelifecycle.
ThePDmanufacturermustprovidetheappropriatedinformationandsecuritymechanismto
validatetheauthenticityandintegrityofthePD.
SufficiencyisprovidedbyallowingtheInitialKeyFacilitytoverifythePDauthenticityand
integritybasedontheVendorKeysbeforestartingtheCustomerKeyloadingprocess.
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
33/37
LifecycleofaSecurePaymentDevice:PostManufacturingStage Page33June6,201Revision3.0
1. Initial Key and second-tier key loaded at point of manufacturer
2. Initial Key loaded at point of manufacturer and second-tier key loaded at point of customer.
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
34/37
LifecycleofaSecurePaymentDevice:PostManufacturingStage Page34June6,201Revision3.0
14 References PCIPEDSecurityRequirementsVersion2.1.January2009
ISO134911:2007BankingSecurecryptographicdevices(retail)Concepts,requirementsandevaluationmethods
ISO134912:2000BankingSecuritycompliancechecklistsfordevicesusedin
magneticstripecardsystems.
ISO115681:2005 BankingKeymanagement(retail).Principles.
ISO115684:2007 Banking Keymanagement(retail) Part4:Asymmetric
cryptosystems Keymanagementandlifecycle.
ISO115685:2005 BankingKeymanagement(retail) Keylifecycleforpublickeycryptosystems.
ISOIEC117701:1996InformationtechnologySecuritytechniques Key
management Part1:Framework
ISOIEC117703:1996InformationtechnologySecuritytechniques Key
management Part3:Mechanismsusingasymmetrictechniques.
ISO157821:2003_Banking CertificateManagement(PublicKeyCertificates)
ISO28000:2007Specificationforsecuritymanagementsystemsforthesupplychain.
ANSX9.42 1998,PublicKeyCryptographyforTheFinancialServiceIndustry.
ANSX9.791:2001.Part1:PKIPracticesandPolicyFramework.
PaymentCardIndustry:PINSecurityRequirementsVersion2.0January2008.VISA
PINSecurityProgram:AuditorsGuideVersion2 January2008.VISA
CryptographicKeyInjectionFacility:AuditorsGuideVersion1.0January2008.VISA
PaymentCardIndustryPINSecurityRequirementsMarch2008.MasterCard.
PCIPINSecurityRequirementsVersion2.0January2008.VISA
ANSIX9TR392009.TG3RetailFinancialServicesComplianceGuidelinePart1:PIN
SecurityandKeyManagement.
CobIT4.1(ControlObjectivesforInformationandrelatedTechnology).ISACA
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
35/37
LifecycleofaSecurePaymentDevice:PostManufacturingStage Page35June6,201Revision3.0
15 Appendix1SPVARequirementsUpdatedAfterPCIPTSv3.(April2010)
15.1 IntroductionThePaymentCardIndustryPINTransactionSecurity(PTS)standardfollowsadefined36
monthlifecycle.TheexpirationofPCIPTSv2.1requirementsdateisdefinedbythePCISSC,
April2011.
ThePCIPTSVersion3.0introducessignificantchangesinhowPCIwillbeevaluatingPIN
acceptanceonPOIterminals.ThePCIPTSVersion3.0documentisanevolutionofthe
previousversionsandsupportsanumberofnewfeaturesintheevaluationofPOIdevices.
ThePCIPTSVersion3.0document,likeversion2.1(January2009),isonlyconcernedwiththe
device
management
for
PIN
acceptance
POI
devices
up
to
the
point
of
initial
key
loading.
Subsequenttoreceiptofthedeviceattheinitialkeyloadingfacility,theacquiringfinancial
institutionanditsagents(e.g.,merchantsandprocessors)areresponsibleforthedeviceand
arecoveredbytheoperatingrulesoftheparticipatingPCIpaymentbrandsandthePCIPINSecurityRequirements.
15.2 PCIPTSv3Requirements:ManufacturerandInitialKeyLoadingNo. Securitycompliancestatement
M1 Thedeviceisshippedfromthemanufacturersfacilitytotheinitialkeyloadingfacility,andstoredenrouteunderauditablecontrolsthatcanaccountforthelocationofeveryPEDateverypointintime.
M2 Proceduresareinplacetotransferaccountabilityforthedevicefromthemanufacturertotheinitialkeyloadingfacility.
M3 Whileintransitfromthemanufacturersfacilitytotheinitialkeyloadingfacility,thedeviceis:
Shippedandstoredintamperevidentpackaging;and/or
Shippedandstoredcontainingasecretthatisimmediatelyandautomaticallyerasedifanyphysicalorfunctionalalterationtothedeviceisattempted,thatcanbeverifiedbytheinitialkeyloadingfacility,butthatcannotfeasiblybedeterminedbyunauthorizedpersonnel.
M4 ThedevelopmentsecuritydocumentationmustprovidethemeanstotheinitialkeyloadingfacilitytoassuretheauthenticityoftheTOEsecurityrelevantcomponents.
M5 Ifthemanufacturerisinchargeofinitialkeyloading,thenthemanufacturermustverifytheauthenticityofthePOIsecurityrelatedcomponents.
M6 Ifthemanufacturerisnotinchargeofinitialkeyloading,themanufacturermustprovidethemeanstotheinitialkeyloadingfacilitytoassuretheverificationoftheauthenticityofthePOIsecurityrelatedcomponents.
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
36/37
LifecycleofaSecurePaymentDevice:PostManufacturingStage Page36June6,201Revision3.0
No. Securitycompliancestatement
M7 Eachdeviceshallhaveauniquevisibleidentifieraffixedtoit.
M8 ThevendormustmaintainamanualthatprovidesinstructionsfortheoperationalmanagementofthePOI.ThisincludesinstructionsforrecordingtheentirelifecycleofthePOIsecurityrelatedcomponentsandofthemannerinwhichthosecomponentsareintegratedintoasinglePOI,e.g.:
Dataonproductionandpersonalization
Physical/chronologicalwhereabouts
Repairandmaintenance
Removalfromoperation
Lossortheft
15.3 SPVASecurityRequirementsMapPCI/PTSV.3 PCI/PTSV.2 SPVA
M1 F1 Post_Manufacturing_Sec_Req_1
M2 F2 Post_Manufacturing_Sec_Req_2
M3 F3 Post_Manufacturing_Sec_Req_3
M4 Post_Manufacturing_Sec_Req_3
M5 Post_Manufacturing_Sec_Req_4Scenario1
M6 Post_Manufacturing_Sec_Req_4Scenario2
M7 Post_Manufacturing_Sec_Req_2Redefinitionrequired
M8 NewRequirement
15.4 SPVACertificationRequirements15.4.1 SPVA_Post_Manufacturing_Sec_Req_2(Redefined)
SPVARequirementsDefinition:Documentedproceduresexistandarefollowedtoensure
thattransferofaccountabilityforthedevicefromthemanufacturertotheinitialkeyloading
facilityiscompleted.
Therearefourobjectivesundertheaccountabilityrequirement:
Identification:TheprocessusedtorecognizeanindividualPD. Eachdeviceshallhave
auniquevisibleidentifieraffixedtoit.
Authentication:TheprocessusedtovalidatetheclaimedidentityofthePD.
-
8/2/2019 Lifecycle Post Mfg WPv30 June2011
37/37
Nonrepudiation: Theprocessofensuringthatapartyinadisputecannotorrefute
thevalidityoftheassumptionofaPDresponsibility.(Ownershipchange.)
Lostdetectionandprevention.
Traceability:
Audit
information
must
be
selectively
kept
and
protected
so
that
actions
affectingsecuritycanbetracedtoeacheveryPD.
15.4.2 SPVA_Post_Manufacturing_Sec_Req_5(NewRequirement)
SPVARequirementsDefinition(SameasPCIPTSv3):Thevendormustmaintainamanual
thatprovidesinstructionsfortheoperationalmanagementofthePOI.Thisincludes
instructionsforrecordingtheentirelifecycleofthePOIsecurityrelatedcomponentsandthe
mannerinwhichthosecomponentsareintegratedintoasinglePOI,e.g.:
Dataonproductionandpersonalization
Physical/chronologicalwhereabouts
Repairandmaintenance
Removalfromoperation
Lossortheft
SPVARecommendedImplementation: EachPDvendorshalldefineaprocesstoenforcethis
requirement.Anauditandmonitoringplanshouldbedefinedtoobtainevidencethatthe
processisfollowedasexpected.