pci pin security v2 audit techniques

Download PCI PIN Security v2 Audit Techniques

Post on 13-Apr-2018

212 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • 7/26/2019 PCI PIN Security v2 Audit Techniques

    1/192

    Payment Card Industry (PCI)

    PIN Securi ty

    Requirements and Testing Procedures

    Version 2.0

    December 2014

  • 7/26/2019 PCI PIN Security v2 Audit Techniques

    2/192

    PCI PIN Security Requirements and Testing Procedures v2.0 December 2014Copyright 2011-2014 PCI Security Standards Council, LLC. All Rights Reserved. Page i

    Document Changes

    Date Version Descripti on

    October 2011 1.0 Initial release of PCI PIN Security Requirements

    December 2014 2.0 Initial release of requirements with test procedures

  • 7/26/2019 PCI PIN Security v2 Audit Techniques

    3/192

    PCI PIN Security Requirements and Testing Procedures v2.0 December 2014Copyright 2011-2014 PCI Security Standards Council, LLC. All Rights Reserved. Page ii

    Table of ContentsDocument Changes ...................................................................................................................................................................................................... i

    Overv iew ....................................................................................................................................................................................................................... 1

    Usage Conventions ................................................................................................................................................................................................... 2Limitations ................................................................................................................................................................................................................. 2

    Effective Date ............................................................................................................................................................................................................ 2

    PIN Securit y Requirements Techn ical Reference .................................................................................................................................................. 3

    Introduction .................................................................................................................................................................................................................. 3

    ANSI, EMV, ISO, FIPS, NIST, and PCI Standards ..................................................................................................................................................... 3

    Control Objective 1: PINs used in transactions governed by these requirements are processed using equipment and methodologies thatensure they are kept secure. .................................................................................................................................................................................... 5

    Control Objective 2: Cryptographic keys used for PIN encryption/decryption and related key management are created using processes that

    ensure that it is not possible to predict any key or determine that certain keys are more probable than other keys. ............................................ 13Control Objective 3: Keys are conveyed or transmitted in a secure manner. ..................................................................................................... 20

    Control Objective 4: Key-loading to HSMs and PIN entry devices is handled in a secure manner. ................................................................... 29

    Control Objective 5: Keys are used in a manner that prevents or detects their unauthorized usage. ................................................................ 39

    Control Objective 6: Keys are administered in a secure manner. ....................................................................................................................... 46

    Control Objective 7: Equipment used to process PINs and keys is managed in a secure manner. ................................................................... 58

    Normativ e Annex A Symmetri c Key Distri but ion usin g Asymm etric Techniq ues ........................................................................................... 68

    A1 Remote Key Distribution Using Asymmetric Techniques Operations ............................................................................................................... 69

    Control Objective 1: PINs used in transactions governed by these requirements are processed using equipment and methodologies thatensure they are kept secure. .................................................................................................................................................................................. 69

    Control Objective 2: Cryptographic keys used for PIN encryption/decryption and related key management are created using processes thatensure that it is not possible to predict any key or determine that certain keys are more probable than other keys. ............................................ 69

    Control Objective 3: Keys are conveyed or transmitted in a secure manner. ..................................................................................................... 69

    Control Objective 4: Key-loading to hosts and PIN entry devices is handled in a secure manner. .................................................................... 70

    Control Objective 5: Keys are used in a manner that prevents or detects their unauthorized usage. ................................................................ 71

    Control Objective 6: Keys are administered in a secure manner. ....................................................................................................................... 73

  • 7/26/2019 PCI PIN Security v2 Audit Techniques

    4/192

    PCI PIN Security Requirements and Testing Procedures v2.0 December 2014Copyright 2011-2014 PCI Security Standards Council, LLC. All Rights Reserved. Page iii

    A2 Certification and Registration Authority Operations .......................................................................................................................................... 74

    Control Objective 3: Keys are conveyed or transmitted in a secure manner. ..................................................................................................... 74

    Control Objective 4: Key-loading to hosts and PIN entry devices is handled in a secure manner. .................................................................... 74

    Control Objective 5: Keys are used in a manner that prevents or detects their unauthorized usage. ................................................................ 75

    Control Objective 6: Keys are administered in a secure manner. ....................................................................................................................... 77

    Control Objective 7: Equipment used to process PINs and keys is managed in a secure manner. ................................................................... 92

    Normative Annex B Key-In ject ion Facil it ies ....................................................................................................................................................... 103

    Introduction .............................................................................................................................................................................................................. 103

    Control Objective 1: PINs used in transactions governed by these requirements are processed using equipment and methodologies thatensure they are kept secure. ................................................................................................................................................................................ 104

    Control Objective 2: Cryptographic keys used for PIN encryption/decryption and related key management are created using processes thatensure that it is not possible to predict any key or determine that certain keys are more probable than other keys. .......................................... 107

    Control Objective 3:

    Keys are conveyed or transmitted in a secure manner. ................................................................................................... 114

    Control Objective 4: Key-loading to hosts and PIN entry devices is handled in a secure manner. .................................................................. 125

    Control Objective 5: Keys are used in a manner that prevents or detects their unauthorized usage. .............................................................. 140

    Control Objective 6: Keys are administered in a secure manner. ..................................................................................................................... 147

    Control Objective 7: Equipment used to process PINs and keys is managed in a secure manner. ................................................................. 164

    Normative Annex C Minim um and Equivalent Key Sizes and Strengt hs f or Approved Algo rith ms ............................................................ 173

    Glossary .................................................................................................................................................................................................................... 175

  • 7/26/2019 PCI PIN Security v2 Audit Techniques

    5/192

    PCI PIN Security Requirements and Testing Procedures v2.0Overview December 2014Copyright 2011-2014 PCI Security Standards Council, LLC. All Rights Reserved. Page 1

    Overview

    This document contains a complete set of requirements for the se

Recommended

View more >