180 likes | 543 Views
PCI PIN Entry Device Security Requirements PCI PIN Security Standards. Topics. Payment Card Industry Pin Entry Device (PCI PED) Security Requirements Overview Testing process Programme Requirements Mandates Common Issues Payment Card Industry PIN Security Standards Overview
E N D
PCI PIN Entry Device Security RequirementsPCI PIN Security Standards
Topics Payment Card Industry Pin Entry Device (PCI PED) Security Requirements • Overview • Testing process • Programme Requirements • Mandates • Common Issues Payment Card Industry PIN Security Standards • Overview • Programme Requirements • Common Issues • Related Mandates
PCI PED Security Requirements Overview Formally known as the Visa PED Standards Standards aligned with other payment schemes PCI Pin Entry Device Security Requirements published in Oct 2004 Requirements primarily related to Attended POS Devices (On-line, offline or both) Encrypting PIN Peds (POS, ATMs, Fuel dispensers, kiosk,etc) Eventually to contain full requirements for ATM and other unattended devices Version 2 published in April 2007.
PCI PED Security Requirements Overview • The Security Requirements are divided into two categories • Device characteristics • Physical • Logical • Device management • During manufacturing • Between manufacturing and initial key loading
PCI PED Testing Process • Vendor to complete the relevant documentation and contact PED test lab of choice • PED lab agrees a testing date and timeframe • PED lab to perform evaluation and generate an evaluation report • PCI participant to review report and grant approval • List of Visa approved devices; www.visa.com/PIN
PCI PED Mandates • Effective Now1 January 2004 - All newly deployed attended POS PIN acceptance devices (including replacement devices) must have passed testing by a PCI recognized laboratory and be approved by Visa for new deployments.Effective Now1 October 2005 - All newly deployed EPPs, including replacements or those in newly deployed ATMs, must have passed testing by a PCI-recognized laboratory and have been approved by Visa.1 October 2007All newly deployed unattended POS PIN acceptance devices must contain an EPP that has passed testing by a PCI recognized laboratory and is approved by Visa for new deployments. Additionally, if the device is used for offline PIN acceptance, it must contain a laboratory validated and Visa-approved secure smart card reader.1 July 2010All attended POS PIN acceptance devices must pass testing by a PCI recognized laboratory and have been approved by Visa.
PCI PED Common Issues • Device not PED compliant • Older model of device deployed prior to PCI PED requirement • PCI PED compliance not taken into account when new services are tested and rolled out.
PCI PIN Security Standards Overview • Visa PIN Security Requirements were first published in Mid 1990s • 2004 Visa aligned standard with other payment schemes and published Payment Card Industry Pin Security Standards
PCI PIN Security Standards Overview • Consist of seven Control Objectives • Control Objective One • PINs are processed using equipment and methodologies that ensure they are kept secure. • Control Objective Two • Cryptographic keys used for PIN encryption/decryption are created using processes that ensure that it is not possible to predict any key. • Control Objective Three • Keys are conveyed or transmitted in a secure manner. • Control Objective Four • Key loading to hosts and PIN entry devices is handled in a secure manner.
PCI PIN Security Standards Overview • Control Objective Five • Keys are used in a manner that prevents or detects their unauthorized usage. • Control Objective Six • Keys are administered in a secure manner. • Control Objective Seven • Equipment used to process PINs and keys is managed in a secure manner.
PCI PIN Security Standards Programme Requirements • All acquiring Members and their agents processing PIN-based Visa transactions are required to undergo an on-site review every three years. • On an annual basis all acquiring Members processing PIN-based Visa transactions will be required to complete a certificate to confirm their level of compliance. • On-site review to be conducted by Visa Risk Limited • Acquiring Members or their agents to generate and agree remediation plan with Visa CEMEA
PCI PIN Security Standards Common Issues • Cryptographic keys shared between production and test environment • Pin not protected using a secure PIN Block format • Deploying unapproved Pin Entry Devices • Cryptographic keys not created in a secure manner • Cryptographic key not unique • Cryptographic keys stored in an unsecured manner or format • Lack of documented procedures • Poor device management • Lack of audit trail or logs for key utilisation
Other related Mandates • Chip Reading PIN Entry DevicesEffective NowAll Chip-Reading devices (including Unattended Acceptance Terminals) placed in service that support “enciphered Offline PIN” must also support “plaintext Offline PIN.”Effective NowAll newly deployed Chip-Reading devices must be capable of accepting a PIN (have either a PIN pad or a port capable of supporting a PIN pad). The PIN functionality must either be active or be capable of being activated through a software update.
Other related Mandates • Triple Data Encryption Standard (TDES)Global MandatesEffective NowAll newly deployed ATMs (including replacement devices) must support TDES.Effective NowAll newly deployed point of sale (POS) PIN acceptance devices (including replacement devices) must support TDES.1 July 2010Cardholder PINs must be TDES encrypted from all Points-of-Transaction to the Issuer. However, each Visa Region's TDES dates will supersede the global TDES date whenever the Visa Region date precedes the global date.
Other related Mandates • Visa (CEMEA) TDES MandateEffective NowAll PIN transactions must be TDES encrypted from point of acceptance to Visa.All PIN transactions between Visa and Issuer hosts must be TDES encrypted. • A non-compliance grace period will be introduced until 1 July 2007, at which time all CEMEA Members must be fully compliant to the Regional TDES requirements.
Visa (CEMEA) TDES Mandate • TDES Questionnaire in CEMEA Fraud Information Service Portal