LifecycleofaSecure PaymentDevice: PostManufacturing Stage

Revision3.0 June6,2011

TableofContents
1 2 3 4 5 6 7 8 Overview .............................................................................................................................................. 5 Abbreviations .......................................................................................................................................6 Glossary ................................................................................................................................................ 7 StageDefinition ...................................................................................................................................8 StagesandProcesses ..........................................................................................................................9 Assumptions....................................................................................................................................... 10 StageSecurityObjectives................................................................................................................... 11 ApplicableStandards ..........................................................................................................................12 8.1 8.1.1 ApplicableStandardsSecurityRequirements ...........................................................................13 PINTransactionsSecurityVersion2.1,January2009 ............................................................13 DeviceManagementRequirements ..............................................................................13

8.1.1.1 8.1.2

ISO134911 ............................................................................................................................. 14

8.1.3 ISO134912:AnnexA.Physical,LogicalandDeviceManagementCharacteristicsCommon toAllSecureCryptographicDevices................................................................................................. 14 8.1.3.1 8.1.3.2 8.1.4 DeviceManagement...................................................................................................... 14 DeviceProtectionbetweenManufacturerandPreuse .............................................. 14

AnnexB.DeviceswithPINEntryFunctionality .....................................................................15 PINentryDeviceProtectionduringInitialKeyLoading................................................15

8.1.4.1 8.1.5

AnnexE.DeviceswithKeyGenerationFunctionality ...........................................................15 LogicalSecurityCharacteristics......................................................................................15

8.1.5.1 8.1.6

AnnexF.DeviceswithKeyTransferandLoadingFunctionality.......................................... 16 LogicalSecurityCharacteristics..................................................................................... 16 DeviceManagement...................................................................................................... 16

8.1.6.1 8.1.6.2 8.1.7

AnnexGDeviceswithDigitalSignatureFunctionality ......................................................... 18 DeviceManagement...................................................................................................... 18

8.1.7.1

LifecycleofaSecurePaymentDevice: PostManufacturingStage June6,201Revision3.0

Page2

8.1.8

AnnexHCategorizationofEnvironments ............................................................................ 18 MinimallyControlledEnvironments.............................................................................. 18 ControlledEnvironments............................................................................................... 19 SecureEnvironments..................................................................................................... 20

8.1.8.1 8.1.8.2 8.1.8.3 8.1.9

PINSecurity&TR39 ................................................................................................................21 PINSecurity .....................................................................................................................21

8.1.9.1 8.2 8.2.1 9

SecurityRequirementsAnalysis ................................................................................................ 22 SecurityRequirementsStandardsMap ................................................................................ 22

LifecycleProtectionMethods ........................................................................................................... 23 9.1 9.2 ISO134911Requirements.......................................................................................................... 23 ProtectionMethodsAnalysis .................................................................................................... 23

10

AuditandControlPrinciples.............................................................................................................. 24 10.1 10.2 10.3 PTS .............................................................................................................................................. 24 ISO134911 .................................................................................................................................. 24 ISO134912.................................................................................................................................. 25

11 12

Stakeholders ...................................................................................................................................... 26 SPVACertificationRequirements...................................................................................................... 27 12.1 SPVASecurityRequirements..................................................................................................... 27

12.1.1 SPVA_Post_Manufacturing_Sec_Req_1 ............................................................................... 27 12.1.2 SPVA_Post_Manufacturing_Sec_Req_2............................................................................... 27 12.1.3 SPVA_Post_Manufacturing_Sec_Req_3............................................................................... 28 12.1.4 SPVA_Post_Manufacturing_Sec_Req_4 .............................................................................. 28 12.1.5 SPVA_Post_Manufacturing_Sec_Req_5............................................................................... 28 12.1.6 SPVA_General_Req................................................................................................................ 28 12.2 SPVAAuditControlObjectives.................................................................................................. 29

12.2.1 SPVA_Post_Manufacturing_Aud_Req_1 .............................................................................. 29 13 Rationale ............................................................................................................................................30

LifecycleofaSecurePaymentDevice: PostManufacturingStage June6,201Revision3.0

Page3

13.1 13.2

SPVASecurityRequirementsMap ............................................................................................30 SPVASecurityRequirementsCoverage.....................................................................................31

13.2.1 SecurePostManufacturingProcesses ..................................................................................31 13.2.2 InitialKeyLoading...................................................................................................................31 13.2.3 SecureDeliveryandStorage ..................................................................................................31 13.2.4 IncidentManagement ............................................................................................................31 13.2.5 SPVAAUDIT.............................................................................................................................31 13.3 14 15 SPVAKeyloadingScenarios ...................................................................................................... 32

References ......................................................................................................................................... 34 Appendix1SPVARequirementsUpdatedAfterPCIPTSv3.(April2010) ....................................... 35 15.1 15.2 15.3 15.4 Introduction ............................................................................................................................... 35 PCIPTSv3Requirements:ManufacturerandInitialKeyLoading........................................... 35 SPVASecurityRequirementsMap ............................................................................................36 SPVACertificationRequirements..............................................................................................36

15.4.1 SPVA_Post_Manufacturing_Sec_Req_2(Refined) ..............................................................36 15.4.2 SPVA_Post_Manufacturing_Sec_Req_5(NewRequirement) ............................................ 37

LifecycleofaSecurePaymentDevice: PostManufacturingStage June6,201Revision3.0

Page4

Overview
ThemainpurposeofthisdocumentistodefinetheSPVAsecurityrequirementsapplicable forthePostManufacturingStageofapaymentdevice. SPVAhasperformedathoroughanalysisofthecurrentsecuritystandardsforPOSterminals duringthePostManufacturingStage.Thepurposeoftheanalysiswastoestimateany potentialmissinginformationinsecuritystandardsinordertoachievefullcoverageas mandatedbytheSPVAboard.Thisdocumentrepresentstheconclusionsofthiseffort. ThisdocumentonlyfocusesonthePostManufacturingStagewhichcoversthemomentthe terminalhasbeenproducedtothemomenttheterminalisloadedwiththecustomerkeys. TheSPVATWG2hadthefollowingmemberswhoworkedonthisdocument: Chairman:RobertoFaans,Hypercom.Othermembersinclude:

OrganizationRepresented Representative
Hypercom Ingenico MustangMicroSystems,Inc MustangMicroSystems,Inc. PAXSZ Verifone Verifone Isabel Yann Tami Tom Alex Doug Sadiq BardsleyGarcia Levenez Harris Galloway DongDQ Manchester Mohammed

LifecycleofaSecurePaymentDevice: PostManufacturingStage June6,201Revision3.0

Page5

Abbreviations
DESAsymmetricmethodknownasDataEncryptionStandard ISOInternationalStandardsOrganization NISTNationalInstituteofStandardsandTechnology PCIPaymentCardIndustry PCISSCPCISecurityStandardsCouncil PDPaymentDevice PEDPOSPINEntryDevice PTSPINTransactionSecurity POSPointofSale RSAAnasymmetricmethoddevelopedbyRivestShamirandAdelman SPAdocumentfromNIST:SpecialPublication SPVASecurePOSVendorAlliance TDEAAmethodusingDESthreetimesinsequence(i.e.encryptdecryptencrypt)usingtwo orthreekeysconformingtotheTripleDataEncryptionAlgorithm. TWGTechnicalWorkingGroup

LifecycleofaSecurePaymentDevice: PostManufacturingStage June6,201Revision3.0

Page6

Glossary
AsymmetricKeysComprisedofapairofkeys,onePublic,theotherPrivate,thatareused toaccomplishsecurecommunicationandauthentication.RSAalgorithmuses asymmetrickeys.MoreinformationcanbefoundinX9.24part2. CustomerKeyAkeyunderCustomermanagementresponsibility,usuallyanacquirer. InitialKeyThekeythatisusedtoassuretheintegrityandauthenticityofthePDduringthe fullLifecycleofaSecurePaymentDevice. InitialKeyloadingProcessforCustomerKeyloading. PaymentDevicetrustestablishmentAprocesstoestablishthetrustrelationshipbetween PDandPDmanufacturer. SymmetricKeysComprisedofasinglekeythatissharedbetweentwoormorepartiesand keptsecret(i.e.private)usedtoaccomplishsecurecommunications.Symmetrickeys canbeusedformessageauthentication(i.e.MAC).DESandTDEAaretwoofseveral symmetrickeymethods.MoreinformationcanbefoundinX9.24part1. VendorKeysAsymmetricKeypairsunderPDmanufacturermanagementresponsibility.

LifecycleofaSecurePaymentDevice: PostManufacturingStage June6,201Revision3.0

Page7

StageDefinition
ThePostManufacturingStageconsistsofthetransportandstorageofthePDuptoand includinginitialkeyloading(ISO134911:2007) Thisistheonlystagecoveredinthisdocument.Otherstagesaredefinedinthefollowing tablewiththedifferenttransitionphases.Someoftheseotherstageswillbestudiedin futureSPVAdocumentsforSecureDeviceLifecycleManagement.

LifecycleofaSecurePaymentDevice: PostManufacturingStage June6,201Revision3.0

Page8

StagesandProcesses
Transition LifecyclePhase Event
PreManufacturing Manufacturing Post Manufacturing PreUse Completion

Processes
Audit IncidentManagementProcesses SecureDeliveryandStorageProcesses

Secure Manufacturing InitialKeyLoading Processes Installation Secure Deployment Processes SecureinField Device Management Processes

SecureDevelopment&Updated

Use

Removal Reinstallation

Repair,upgrade PostUse

DeviceRepair Processes

Destruction Main

SecureDevice Decommissioning Processes

SecureDeliveryandStorageProcesses PaymentDeviceSecuritizationProcess(InitialKeyLoading)

Related IncidentManagementProcess AuditProcess

LifecycleofaSecurePaymentDevice: PostManufacturingStage June6,201Revision3.0

Page9

Assumptions
ThemomentthePaymentDevice(PD)reachesthePostManufacturingStage,itmustbeable toperform,atminimum,thefollowingfunctions: Triggeranactionasaresponsetotamperdetection Loadauthenticatedsoftware

Inotherwords,thePDisaworkingdevicewiththeabilitytorunauthenticatedsoftwareand thesecuritymechanismsthatarerequiredtoprovidearesponsetotamperdetection.

LifecycleofaSecurePaymentDevice: PostManufacturingStage June6,201Revision3.0

Page10

StageSecurityObjectives
Confidentiality Accountability Authenticity Non repudiation Availability Integrity

SecurePostManufacturing Processes InitialKeyLoading

SecureDeliveryandStorage IncidentManagementProcesses

Confidentiality:Sensitiveinformationisnotdisclosedtounauthorizedindividuals, entities,orprocesses.[ISO180282:2006] Integrity:Safeguardingtheaccuracyandcompletenessofassets.[ISO/IECISO13335 1:2004][ISO27001:2005][ISO133351:2004] Accountability:Actionsofanentitymaybetraceduniquelytotheentity.[ISO7498 2:1989] Authenticity:Authentic,trustworthy,orgenuine. Nonrepudiation:Providesassuranceoftheintegrityandoriginofdatainsuchaway thattheintegrityandorigincanbeverifiedbyathirdpartyashavingoriginatedfrom aspecificentityinpossessionoftheprivatekeyoftheclaimedsignatory.[NIST SP80057:2007] Availability:Accessibleanduseableupondemandbyanauthorizedentity.[ISO/IEC ISO133351:2004][ISO180282:2006][ISO27001:2005][ISO133351:2004]

LifecycleofaSecurePaymentDevice: PostManufacturingStage June6,201Revision3.0

Page11

ApplicableStandards
Themainstandardsthatareappliedtothisstageoftheprocessare definedasfollows: PaymentCardIndustry(PCI)POSPINEntryDeviceSecurity Requirements(PTS1)Version2.1January2009: Thisdocumentisonlyconcernedwiththedevicemanagementfor pointofsalePEDsuptothepointofinitialkeyloading.Subsequentto receiptofthedeviceattheinitialkeyloadingfacility,theacquiring financialinstitutionanditsagents(e.g.,merchantsandprocessors) areresponsibleforthedeviceandarecoveredbytheoperatingrules oftheAssociationsandthePCIPINSecurityRequirements. ISO134911:2007BankingSecurecryptographicdevices(retail) Concepts,requirementsandevaluationmethods: ISO13491describesboththephysicalandlogicalcharacteristicsand themanagementofthesecurecryptographicdevicesusedtoprotect messages,cryptographickeysandothersensitiveinformationusedin aretailfinancialservicesenvironment. ThispartofISO13491hastwoprimarypurposes: Tostatetherequirementsconcerningboththeoperationalcharacteristicsof SCDsandthemanagementofsuchdevicesthroughoutallstagesoftheir lifecycle,and Tostandardizethemethodologyforverifyingcompliancewiththose requirements.

ISO134912:2000BankingSecuritycompliancechecklistsfor devicesusedinmagneticstripecardsystems: ThispartofISO13491specifiesthechecklistsusedtoevaluatesecure cryptographicdevices(SCDs)incorporatingcryptographicprocesses, asspecifiedinISO9564,ISO9807andISO11568,inamagneticstripe cardenvironment.ItdoesnotspecifychecklistsforSCDsusedinan integratedcircuitcard(ICC)environment.

PTS(PINTransactionSecurity)formerPCIPED

LifecycleofaSecurePaymentDevice: PostManufacturingStage June6,201Revision3.0

Page12

PCIPINSecurityRequirementsVersion2.0January2008(Visa): Thisdocumentcontainsacompletesetofrequirementsforthe securemanagement,processingandtransmissionofPersonal IdentificationNumber(PIN)dataduringonlineandofflinepayment cardtransactionprocessingatATMs,andattendedandunattended pointofsale(POS)terminals. ANSIX9TR392009.TG3RetailFinancialServicesCompliance GuidelinePart1:PINSecurityandKeyManagement: ThePINSecurityComplianceGuidelineisintendedtobeusedto implementauniformsecurityreview.Thisguidelinepresents mandatoryControlObjectivesrelatingtogeneralproceduresand controls.ThemandatoryControlObjectivesarebasedon requirementssetforthinthefollowing: X9.812003Part1:(PersonalIdentificationNumber(PIN)Managementand Security) X9.2412004(RetailFinancialServicesSymmetricKeyManagement,Part1:Using SymmetricTechniques) X9.24Part2:2006(RetailFinancialServicesSymmetricKeyManagement,Part2: UsingAsymmetricTechniquesforDistributionofSymmetricKeys).

8.1
8.1.1

ApplicableStandardsSecurityRequirements
PINTransactionsSecurityVersion2.1,January2009

8.1.1.1 DeviceManagementRequirements

DescriptionofRequirement

ThePEDisshippedfromthemanufacturersfacilitytotheinitialkeyloading F1 facilityandstoredinrouteunderauditablecontrolsthatcanaccountforthe locationofeveryPEDateverypointintime. F2 Proceduresareinplacetotransferaccountabilityforthedevicefromthe manufacturertotheinitialkeyloadingfacility.

Whileintransitfromthemanufacturersfacilitytotheinitialkeyloading facility,thedeviceis: Shippedandstoredintamperevidentpackaging;and/or F3 Shippedandstoredcontainingasecretthatisimmediatelyand automaticallyerasedifanyphysicalorfunctionalalterationtothedeviceis attempted,thatcanbeverifiedbytheinitialkeyloadingfacility,butthat cannotfeasiblybedeterminedbyunauthorizedpersonnel.

LifecycleofaSecurePaymentDevice: PostManufacturingStage June6,201Revision3.0

Page13

8.1.2

ISO134911

No. DescriptionofRequirement
Untilaninitialkeyhasbeenloaded,itisnecessarytodetectacompromise butnottopreventit. Ifacompromiseisdetected,itisonlynecessarytoensurethatkeysare notinjectedintothedeviceanditisnotplacedinserviceuntilalleffectsof thecompromisehavebeeneliminatedfromit.

8.1.3 ISO134912:AnnexA.Physical,LogicalandDeviceManagementCharacteristicsCommonto AllSecureCryptographicDevices

8.1.3.1 DeviceManagement

No. Securitycompliancestatement
A32 Forauditandcontrolpurposes,theidentityofthedevice(e.g.itsserial number)canbedetermined,eitherbyexternaltamperevidentmarking orlabeling,orbyacommandthatcausesthedevicetoreturnitsidentity viatheinterfaceorviathedisplay. A36 Ifadevicedoesnotyetcontainasecretcryptographickeyandthereis anattackonadevice,oradeviceisstolen,thenproceduresareinplace topreventthesubstitutionoftheattackedorstolendevicefora legitimatedevicethatdoesnotyetcontainasecretcryptographickey. A37 Ifnosensitivestateexistsinthedevice,theloadingofplaintextkeyswill beperformedunderdualcontrol. 8.1.3.2 DeviceProtectionbetweenManufacturerandPreuse

No. Securitycompliancestatement
A40 Thetransfermechanismsbywhichplaintextkeys,keycomponentsor passwordsareenteredintothedeviceareprotectedand/orinspectedso astopreventanytypeofmonitoringthatcouldresultinthe unauthorizeddisclosureofanycomponentorpassword. A41 Subsequenttomanufacturingandpriortoshipment,thedeviceisstored inaprotectedareaorsealedwithintamperevidentpackagingto preventundetectedunauthorizedaccesstoit.

LifecycleofaSecurePaymentDevice: PostManufacturingStage June6,201Revision3.0

Page14

No. Securitycompliancestatement
A42 Thedeviceisshippedintamperevidentpackaging,andinspectedto detectunauthorizedaccesstoit;or beforeadeviceisloadedwithcryptographickeys,itisclosely inspectedbyqualifiedstafftoensurethatithasnotbeensubjectto anyphysicalorfunctionalmodification;or thedeviceisdeliveredwithsecretinformationthatiserasedif tamperingisdetectedtoenabletheusertoascertainthatthedevice isgenuineandnotcompromised. NOTE:Oneexampleofsuchinformationistheprivatekeyofan asymmetrickeypair,withthepublickeyofthedevicesignedbyaprivate keyknownonlytothesupplier. A43 Thedeviceisloadedwithinitialkey(s)inacontrolledmanneronlywhen thereisreasonableassurancethatthedevicehasnotbeensubjectto unauthorizedphysicalorfunctionalmodification. 8.1.4 AnnexB.DeviceswithPINEntryFunctionality

8.1.4.1 PINentryDeviceProtectionduringInitialKeyLoading

No. Securitycompliancestatement
B20 ArepairedPINentrydeviceisnotreloadedwiththeoriginalkey(except bychance). B21 Automatedtechniquesareused,ormanualproceduresareinplaceand arefollowed,toensureeachPINentrydeviceisgivenatleastone statisticallyuniquekeyunknowntoanypersonandneverpreviously given(exceptbychance)toanyotherPINentry

8.1.5 AnnexE.DeviceswithKeyGenerationFunctionality

8.1.5.1 LogicalSecurityCharacteristics

No. Securitycompliancestatement
E2 Thedeviceskeymanagementfunctionsaredesignedsothatno disclosureofanykeyispossiblewithoutcollusionbetweentrusted individuals.Specifically: thedevice'shighestlevelkeysaremanuallyloadedasatleasttwo componentsunderdualcontrol; anyfunctionusedtoinputoroutputkeycomponentsdoesnot operateuntilatleasttwodifferentpasswordshavebeenentered.

LifecycleofaSecurePaymentDevice: PostManufacturingStage June6,201Revision3.0

Page15

No. Securitycompliancestatement
E3 Thedevicedecomposesanactualkeyintokeycomponentsinsucha waythatnoactivebitofthekeycouldbedeterminedwithoutthe knowledgeofallcomponents. Forexample,thecomponentsareexclusiveor'edtogethertoformthe key. KeygenerationmethodscomplywithISO11568. Eachcalltoobtainageneratedkeyyieldsadifferent,statistically uniquekey(exceptbychance).

E4 E5

8.1.6

AnnexF.DeviceswithKeyTransferandLoadingFunctionality

8.1.6.1 LogicalSecurityCharacteristics

No. Securitycompliancestatement
F2 F3 Encipheredprivatekeysareprotectedagainstkeysubstitutionand modification. Thedevice'skeymanagementfunctionsaredesignedsothatno disclosureofanykeyispossiblewithoutcollusionbetweentrusted individuals.Specifically: thedevice'shighestlevelkeysaremanuallyloadedasatleasttwo components; anyfunctionusedtoinputoroutputkeycomponents,exceptfor thedevice'scomponents.

8.1.6.2 DeviceManagement

No. Securitycompliancestatement
F9 Thetransfermechanismsbywhichkeys,componentsorpasswordsare transferredintooroutofthedeviceareprotectedand/orinspectedso astopreventanytypeofmonitoringthatcouldresultinthe unauthorizeddisclosureofanykeys,componentsorpasswords. Controlsareinplacetodetecttheunauthorizedremovalofthedevice from,anditsunauthorizedreplacementbackinto,itsauthorized location. Thedeviceisloadedwithakeycomponentunderthedirect supervisionofapersonwhoisallowedaccesstothiscomponent,and onlywhenthereisreasonableassurancethatthereisnobugor otherdisclosingmechanismonthepaththatthekeycomponent traversesfromthekeygenerationdevicetothetransportdeviceitself.

F14

F15

LifecycleofaSecurePaymentDevice: PostManufacturingStage June6,201Revision3.0

Page16

No. Securitycompliancestatement
F16 Ifthedevicecontainsaplaintextkeycomponent,thedeviceiseither underthecontinuoussupervisionofapersonwhoisallowedaccessto thiscomponent(andwhoisawareofhis/herresponsibilitiestoensure thesecrecyofthiscomponent),orelseislockedorsealedinasecurity containerthatcannotfeasiblybeopenedwithoutdetectionbyanyone otherthanthosewhoareallowedaccesstothecomponent. Thedeviceisusedtoinjectacomponentintoacryptographicdevice onlyunderthedirectsupervisionofapersonwhoisallowedaccessto thiscomponent,andonlywhenthereisreasonableassurancethat thereisnobugorotherdisclosingmechanismonthepaththatthe keycomponenttraversesfromthekeytransportdevicetothe cryptographicdevice. Thetransferofakeytoanothersecurecryptographicdeviceuses either: asecurecommunicationspath,or asecurekeytransferdevice,or asecurecryptographicpath,or iscarriedoutinasecureenvironment. Nopersonwithknowledgeoforaccesstooneofthepasswordsor physicalkeysrequiredtooutputakeyfromthedevicehasknowledge oforaccesstoanyothersuchpasswordorphysicalkeyofthisdevice. Thedeviceisloadedwithaplaintextkeyonlyunderthedirect supervisionofatleasttwoauthorizedpeople,bothofwhomensure thatthereisnobugorotherdisclosingmechanismonthepaththat thekeytraversesfromthekeygenerationdevicetothekeytransport deviceitself. Thedeviceisusedtoinjectaplaintextkeyintoacryptographicdevice onlyunderthedirectsupervisionofatleasttwoauthorizedpeople, bothofwhomensurethatthereisnobugorotherdisclosing mechanismonthepaththatthekeytraversesfromthekeytransport devicetothecryptographicdevice

F17

F18

F19

F20

F21

LifecycleofaSecurePaymentDevice: PostManufacturingStage June6,201Revision3.0

Page17

No. Securitycompliancestatement
F22 Functionalityneededtoimport,export,ortransfercryptographickeys fromexternalsourcesensuresthatthekeysareinoneormoreofthe followingforms: encipheredunderthepropervariantofasymmetrickey enciphermentkey; encipheredundertheasymmetricpublickeyoftherecipient; encipheredwithanimportkeybeingspecificallyenabledfora limitedtimeandlimitednumberoffunctioncalls; inputunderdualormultiplecontrolthroughthesecureoperator interface,incomponentssuchthatfullknowledgeofallbutone componentgivesnousableinformationonanybitofthe cryptographickey; publickeysareenteredunderdualcontrolorencipheredunderthe appropriatekeyorsignedasrequiredtoensureauthenticity.

8.1.7

AnnexGDeviceswithDigitalSignatureFunctionality

8.1.7.1 DeviceManagement

No. Securitycompliancestatement
G1 Ifnonrepudiationisclaimedthen: theasymmetricprivateandpublickeypairisgeneratedwithinthe digitalsignaturedevice;and theasymmetricprivatekeyisnotexportedoutsidetheoriginal digitalsignaturedeviceforanyreason,includingbackupand archivalpurposes. Forauditandcontrolpurposes,thebindingbetweenthepublickeyand theidentityoftheowneroftheprivatekeyisreadilydeterminedbyuse of: publickeycertificates,wherethepublickeycertificatewas obtainedfromanauthorizedcertificateauthority,or publickeycertificatesandappropriatecertificatemanagement procedures,or otherequivalentmechanismstoirrefutablydeterminetheidentity oftheownerofthecorrespondingprivatekey.

G2

8.1.8

AnnexHCategorizationofEnvironments

8.1.8.1 MinimallyControlledEnvironments

No. Securitycompliancestatement
H1 Authorizedaccessisrestrictedbyphysicallocksorsupervisedaccess pointstoauthorizedstaff,andpersonsaccompaniedbyauthorized
Page18

LifecycleofaSecurePaymentDevice: PostManufacturingStage June6,201Revision3.0

No. Securitycompliancestatement
staff. H2 H3 Theenvironmentprovidesfacilitiesforsecurefasteningofdeviceswith lockablefasteningmechanisms,ifsuchdevicesaretobeinstalled. Aminimallycontrolledenvironmentshallremainintactuntilallkeysand othersecretdatastoredindeviceswithintheenvironmentare destroyedoruntilallsuchdevicesareremovedfromtheenvironment.

8.1.8.2 ControlledEnvironments

No. Securitycompliancestatement
H4 Authorizedaccessisrestrictedbyphysicallocksandcontinually supervisedaccesspointstoauthorizedstaff,andpersonsaccompanied byauthorizedstaff. Anyaccessbyotherthanauthorizedstaffislogged,andthelog securelykeptandperiodicallyaudited. Thedevicesareeither: infullviewatalltimesofatleasttwostaffmemberswhohave beeninstructedtocheckthedevicesforsignsofattacksor presenceofanyotherpersonsatthedevices;or inviewofavideocamera(throughaclosedvideosystem)being monitoredatleastonceeveryX/2min,orwhenevermovement closetothedevicesisautomaticallydetected;bypersonswhohave beenspecificallytaskedwithcheckingthedevicesforsignsof attacks. NOTE:ThetimeX/2minishalfthetimeXminwhichisthetime estimatedtosuccessfullypenetratetheequipmentinorderto: makeanyadditions,substitutions,ormodifications(e.g.the installationofabug)tothehardwareorsoftwareofthedevice;or determineormodifyanysensitiveinformation(e.g.PINs,access codes,andcryptographickeys),andthensubsequentlyreinstallthe device,withoutrequiringspecializedskillsandequipmentnot generallyavailable,andwithoutdamagingthedevicesoseverely thatthedamagewouldhaveahighprobabilityofdetection. Therearenoentryorexitpointsforpeopleorequipmentexceptfor continuallysupervisedaccesspoints,e.g.watchedbyguardswhohave beeninstructednottopermitanyimportorexportofequipment withoutwrittenauthorizationidentifyingtheequipment,signedbyan authorizedpersonotherthanthepersonmovingtheequipment. Itisnotfeasibletogainunauthorizedaccesstothecontrolled environment,orimportorexportequipment,fromundertheflooror fromabovetheceiling.

H5 H6

H7

H8

LifecycleofaSecurePaymentDevice: PostManufacturingStage June6,201Revision3.0

Page19

8.1.8.3 SecureEnvironments

No. Securitycompliancestatement
H9 Authorizedaccessisrestrictedbyphysicallocksandcontinually supervisedaccesspointstopairsofauthorizedstaffandpersons accompaniedbypairsofauthorizedstaff.Accesspointsthatarenot supervisedarelockedandalarmed,sothatanyentryorexitcauses interventionbyguards. Anynonauthorizedperson(s)requiringaccesstothesecure environmentwillbesupervisedatalltimesbyatleasttwoauthorized personswhilstinthesecureenvironment. Allaccessestothesecureenvironmentarelogged,andthelogsecurely keptandperiodicallyaudited. Allpossibleaccesspointstothesecureenvironmentareeither: infullviewatalltimesofatleasttwoauthorizedstaffmembers whohavebeeninstructedtocheckthedevicesforsignsofattacks; or inviewofavideocamera(throughaclosedvideosystem)coupled withcircuitrythatautomaticallyraisesanalarmwhenever movementclosetothedevicesisdetectedortamperdetection circuitryisactivated.Evenwhennoalarmisraised,thecamerais monitoredatleastonceevery10min.Theimagesarewatchedby personswhohavebeenspecificallytaskedwithcheckingthesecure environmentforsignsofattacks. Therearenoentryorexitpointsforpeopleorequipmentexceptfor continuallysupervisedaccesspoints,watchedbyguardswhohave beeninstructednottopermitanyimportorexportofequipment withoutwrittenauthorizationidentifyingtheequipment,signedbyan authorizedpersonotherthanthepersonmovingtheequipment. Ifthesecureenvironmentisimplementedasasecuredroom,thenthe device(s)inthesecureenvironmentareinviewofavideocamera (throughaclosedvideosystem)coupledwithcircuitrythat automaticallyraisesanalarmwhenevermovementclosetothedevices isdetectedortamperdetectioncircuitryisactivated.Evenwhenno alarmisraised,thecameraismonitoredatleastonceevery10min.The imagesarewatchedbypersonswhohavebeenspecificallytaskedwith checkingthesecureenvironmentforsignsofattacks. Thesecureenvironmentprovidesatmostlimitedopportunityfor concealmentofactivityandforthestorageoftoolsandother equipment Asecureenvironmentremainssuchuntilallkeysandothersecretdata storedindeviceswithintheenvironmentaredestroyedoruntilallsuch devicesareremovedfromtheenvironment

H10

H11 H12

H13

H14

H15

H16

LifecycleofaSecurePaymentDevice: PostManufacturingStage June6,201Revision3.0

Page20

No. Securitycompliancestatement
H17 Thesecureenvironmentcontainseither: boththedeviceanditshost,andtherearecontrolsonthe environmentwhichpreventthedevicefrombeingconnectedto anyunauthorizeddevice,andonthehosttoensurethatexhaustive attacks(onPINs),usinglegitimatefunctioncalls,arenotfeasible;or thedevicealone,whichcontainssecuritymechanismsthatprotect againstexhaustiveattacks.

8.1.9 PINSecurity&TR39 ThecommitteehasmappedPINSecurityandTR39requirementsconcludethatboth standardsareconsistent.RefertoAppendix1SPVARequirementsUpdatedAfterPCIPTSv3. (April2010)beginningonpage35foracopyofthismap.Tofacilitatethereadingofthis document,PINSecurityObjectivesdefinitionwillbeused. 8.1.9.1 PINSecurity

No. Securitycompliancestatement
1 PINsusedintransactionsgovernedbytheserequirementsare processedusingequipmentandmethodologiesthatensuretheyare keptsecure. Keysareconveyedortransmittedinasecuremanner. KeyloadingtohostsandPINentrydevicesishandledinasecure manner. Keysareusedinamannerthatpreventsordetectstheirunauthorized usage. Keysareadministeredinasecuremanner EquipmentusedtoprocessPINsandkeysismanagedinasecure manner

3 4 5 6 7

LifecycleofaSecurePaymentDevice: PostManufacturingStage June6,201Revision3.0

Page21

8.2
8.2.1

SecurityRequirementsAnalysis
SecurityRequirementsStandardsMap

PTS
F1 F2 F3

ISO ISO13491:1 13491:2

7.3.2 A41 A32 A36 A42 A43 A37 A40/F9 B20/E5 B21 E2/F3/F19 E4 F2 F15 F16 F17 F18 F20 F21 F22 G1

PIN Security
7 4 4 5 5 6/7 1 5/4/7 7 3/4 4 3 3/4 3/4 3 2 4 7

G2 H1H22

LifecycleofaSecurePaymentDevice: PostManufacturingStage June6,201Revision3.0

Page22

9
9.1

LifecycleProtectionMethods
ISO134911Requirements
Duringthisphase,auditingandcontrolproceduresshallbeimplementedwhichhave ahighprobabilityofpreventingordetectingtheunauthorizedalterationofthe deviceorthereplacementofthedevicewithacounterfeitsubstitute. Whichevermethodofkeygenerationisused,keyloadingshallbeperformedinsuch awaythatthesecretorprivatekeycannotbedeterminedwithoutcollusion. Immediatelypriortoinitialkeyloading,thereshallbeassurancethatthedevicehas notbeensubjecttounauthorizedmodificationorsubstitution.Thismaybe accomplishedby: Testingand/orinspectionofthedevice; Auditingandcontrolofthedevicepostmanufacture,orsubsequenttothemost recenttestingand/orinspectionofthedevice; Confirmationoftheexistencewithinthedeviceofsecretdatabythe manufacturerforthesolepurposeofconfirmingthelegitimacyofthedevice.

Devicemanagementshallprovidedetectionoftheftorunauthorizedremovalofthe device.

9.2

ProtectionMethodsAnalysis
UnlikeISO134911,PTSdoesnotmakeanydistinctionsbetweenrequirementsandprotection methodsthatmaybeusedtoprotectthedeviceduringitslifecyclephases.

LifecycleofaSecurePaymentDevice: PostManufacturingStage June6,201Revision3.0

Page23

10
10.1

AuditandControlPrinciples
PTS
PEDSecurityRequirements(managedbyPCISSC)areprimarilyconcernedwithdevice characteristicsimpactingthesecurityofthePINEntryDeviceusedbythecardholderduringa financialtransaction.Therequirementsalsoincludedevicemanagementuptothepointof initialkeyloading,buttheevaluationprocessonlyaddressesdevicecharacteristics. ThevendorisrequiredtobecompliantwiththePTSmanagementrequirements,butthePTS doesnotdefineanyDerivedTestRequirement(DTR)forPDmanagementrequirements.

10.2

ISO134911
ISO134911proposessomerecommendationstoallowsecuritystakeholderstocoverthePOS securityauditandcontrolinPostManufacturingstage. Auditingandcontrolproceduresshallbeimplementedwhichhaveahighprobabilityof preventingordetectingtheunauthorizedalterationofthedeviceorthereplacementofthe devicewithacounterfeitsubstitute. Anddefinesthreeevaluationmethods:informal,semiformalandformal. Ariskassessmentshallbeundertakenasanaidinchoosingwhichmethodologyis appropriate. InformalandsemiformalmethodscanusethechecklistsincludedintheISO134912.

No. Procedure
1 2 3 5 6 7 8 Oneormorepartiesresponsibleforthedevice. Carefulscreeningof,orcontrolover,personnelwithaccesstoadevice designedforuseinacontrolledenvironment Carefulscreeningof,orcontrolover,personnelwithaccesstoadevice designedforuseinaminimallycontrolledenvironment Controlmechanismsorsealingofthedeviceincounterfeitresistant, tamperevidentpackagingtopreventundetectedaccesstothedevice Preparationanduseofauditchecklists Verificationthatauditchecklistsarefilledoutaccurately,onatimely basis,andbyqualifiedpersonnel Keymanagementproceduresimplementedasspecifiedinthe appropriateInternationalStandard

Post Manufacturing Stage

Mandatory Mandatory Mandatory Mandatory Mandatory Recommended Mandatory

LifecycleofaSecurePaymentDevice: PostManufacturingStage June6,201Revision3.0

Page24

 No. Procedure
9 11 13 Accuratetrackingofeachdevice,bymeansofcomputerizedor manuallywrittenrecords Controlofthedistributionofdevicedocumentation

Post Manufacturing Stage

Mandatory Recommended

Documentedreportingprocedurestocausetimelydetectionofadevice thathasbeenremovedwithoutauthorizationfromstorageorfromits Mandatory operationallocation,orthathasdisappearedwhileintransit Controloverthemaintenanceprocessinorderthattheconfidentiality ofthedevicedesigncharacteristicsismaintained Secureenvironments:Asecureenvironmentprovidesanoutershellofprotectionaroundan insecuredeviceandmustbesignificantlymoresecurethanacontrolledenvironment.Itcan bearoomdesignedandbuiltforthisspecificpurposeoritcouldbeasafeorasecure cabinet.Whateverformthesecureenvironmenttakes,onlypersonswithauthorizedaccess tothedeviceshallhaveaccesstothesecureenvironment.Asecureenvironmentisoften locatedwithinacontrolledenvironment. Controlledenvironments:Acontrolledenvironmentissimilartonormalcomputerrooms wherethereareaccesscontrols,allowingaccessonlytoauthorizedpersonnel.Acontrolled environment,however,hasmorestringentaccesscontrolsandbothitsinteriorandthe entrancesareundersurveillance. Minimallycontrolledenvironments:Theserequirementsaimtodetectanattack,ortheft, withinagivenmaximumperiodoftime. Uncontrolledenvironments:Therearenosecurityrequirementsforuncontrolled environments. Mandatory/ Recommended

19

10.3

ISO134912
AnnexAtoHofthisstandardprovidesachecklistdefiningtheminimumevaluationforuse withallevaluationstoassesstheacceptabilityofcryptographicequipment.

LifecycleofaSecurePaymentDevice: PostManufacturingStage June6,201Revision3.0

Page25

11

Stakeholders
Vendors:PDvendorsmaybeimpactedbyensuringthattherequiredmechanismstoprovidesecurity
duringthisphaseasdefinedinthisdocumentareimplemented.

ManufacturersEMS.(ElectronicManufacturingServices.):Thesecompaniesmaybeimpacted
bysupportinganddeployingthesecuritymechanismsasdefinedbyPDVendorsinordertocomply withthesecurityrequirementsdefinedinthisdocument.

LogisticCompanies:Thesecompaniesmaybeimpactedbysupportinganddeployingthesecurity
mechanismstoguaranteetheintegrityandaccountabilityofthePDduringthestorageandtransport stepsofthisstage.

KeyInjectionServiceProviders:Thesecompaniesactinginbehalfofacquirersmaybeimpactedby
supportinganddeployingthesecuritymechanismstocomplywiththesecurityrequirementsdefined inthisdocumentforthekeyloadingprocess.

Acquirers:ThesecompaniesastheKeySchemeAuthoritymaybeimpactedbysupervisingtheKey
InjectionServiceProvidersobservanceofthesecurityrequirementsdefinedinthisdocumentforthe keyloadingprocess.

Auditors:ThesecompaniesmaybeimpactedinordertoestablishtestplansaccordingtoSPVA
recommendationsandtoauditanyPDmanagementactivityperformedbyanactorwhoisinterested injoiningSPVAalliance.

LifecycleofaSecurePaymentDevice: PostManufacturingStage June6,201Revision3.0

Page26

12
12.1
12.1.1

SPVACertificationRequirements
SPVASecurityRequirements
SPVA_Post_Manufacturing_Sec_Req_1 SPVARequirementsDefinition:Asecuritymanagementsystemshallbedefinedand implementedforsecurestorageandtransportactivities. SPVARecommendedImplementation:Thesecuritymanagementsystemshalldefinethe plansandprocedurestoenforcethatthestorageandtransportactivitiesareimplementedin compliancewiththeISO28000:2007Specificationforsecuritymanagementsystemsforthe supplychain.

12.1.2

SPVA_Post_Manufacturing_Sec_Req_2 SPVARequirementsDefinition:Documentedproceduresexistandarefollowedtoensure thattransferofaccountabilityforthedevicefromthemanufacturertotheinitialkeyloading facilityarecompleted. Therearefourobjectivesundertheaccountabilityrequirement: Identification:TheprocessusedtorecognizeanindividualPD. Authentication:TheprocessusedtovalidatetheclaimedidentityofthePD. Nonrepudiation:Theprocessofensuringthatapartyinadisputecannotorrefute thevalidityoftheassumptionofaPDresponsibility.(Ownershipchange.) Lostdetectionandprevention. Traceability:Auditinformationshallbeselectivelykeptandprotectedsothatactions affectingsecuritycanbetracedtoeachPD.

SPVARecommendedImplementation:Accountablerecordsshallbemaintainedthatindicate thelocationandstatusofeachdevice.Theaccountablepartyshallbeidentifiedbythese records.Whendevicesaretransferredtoanotherorganization,anotherpartybecomes accountableforthedevices.Therefore,therecordsatboththeoriginatingandreceiving organizationshallidentifythedevicesandindicatethedateofthetransfer,theorganization to/fromwhichthetransferwasmade. Thereshallbesomemeansofconfirmingthataccountabilityhasbeenacceptedbythe receivingorganizationandthenameofthepartythatispresentlyaccountableforthe transferreddevicesshallbeincludedintherecordsofthetransferringorganization.

LifecycleofaSecurePaymentDevice: PostManufacturingStage June6,201Revision3.0

Page27

12.1.3

SPVA_Post_Manufacturing_Sec_Req_3 SPVARequirementsDefinition:AsecuremechanismthatprovidesPDauthenticationshall beestablishedduringpostmanufacturingprocesses. SPVARecommendedImplementation:ThePDauthenticationmechanismshallbebasedon anasymmetrickeypairbasedonaPublicKeyInfrastructure.ThePDmanufacturershall providetheappropriatedinformationandsecuritymechanismtovalidatetheauthenticity andintegrityofthePD.

12.1.4

SPVA_Post_Manufacturing_Sec_Req_4 SPVARequirementsDefinition:Documentedproceduresexistandarefollowedto implementandoperateaKeyManagementInfrastructuretosupporttheenforcementofkey managementpracticesforgenerationand/oracquisition,distribution,protection,anduse (destruction)ofkeyingmaterialnecessarytoensurethePDauthenticity,integrityand (operability)undertheKeySchemeAuthority. SPVARecommendedImplementation:TheKeyManagementInfrastructureshalldefinethe plansandprocedurestoenforcethattheKeyManagementactivities,speciallytheKey Loadingprocess,areimplementedincompliancewiththeANSIX9TR392009andPIN SecurityRequirementsVersion2.0.

12.1.5

SPVA_Post_Manufacturing_Sec_Req_5 SPVARequirementsDefinition:Theorganizationshallestablish,implementandmaintain appropriateplansandprocedurestoidentifyandrespondtosecurityincidents. SPVARecommendedImplementation:Theplansandproceduresshalldefinethestepsthat personnelshallusetoensurethatsecurityincidentsareidentified,contained,investigated, andremedied.Theplansandproceduresalsoshallprovideaprocessfordocumentation, appropriatereportinginternallyandexternally,andcommunicationsothatorganizational learningoccurs.Finally,theplansandproceduresshallestablishresponsibilityand accountabilityforallstepsintheprocessofaddressingsecurityincidents. Theorganizationshallperiodicallyreviewtheeffectivenessofitsemergencypreparedness, responseandsecurityrecoveryplansandprocedures,inparticularaftertheoccurrenceof incidentsoremergencysituationscausedbysecuritybreachesandthreats.Theorganization shallperiodicallytesttheseplansandprocedureswhereverpracticable.

12.1.6

SPVA_General_Req SPVARequirementsDefinition:Whereanorganizationchoosestooutsourceanyprocess thataffectsconformitywiththeserequirements,theorganizationshallensurethatsuch

LifecycleofaSecurePaymentDevice: PostManufacturingStage June6,201Revision3.0

Page28

processesarecontrolled.Thenecessarycontrolsandresponsibilitiesofsuchoutsourced processesshallbeidentified. SPVARecommendedImplementation:Therisksassociatedwithoutsourcingshallbe managedthroughtheimpositionofsuitablecontrols,comprisingacombinationoflegal, physical,logical,proceduralandmanagerialcontrols. TheorganizationshallperiodicallyaudittheoutsourcerscompliancewiththeSPVASecurity Requirements,orshallemployamutuallyagreedindependentthirdpartyauditorforthis purpose.

12.2
12.2.1

SPVAAuditControlObjectives
SPVA_Post_Manufacturing_Aud_Req_1 SPVARequirementsDefinition:Theorganizationshallestablish,implementandmaintaina securityauditprogramandshallinsurethatauditsofthesecuritysystemarecarriedoutat plannedintervals. SPVARecommendedImplementation:Theauditprogram,includinganyschedule,shallbe basedontheresultsofthreatandriskassessmentsoftheorganizationsactivities,andthe resultsofpreviousaudits.Theauditproceduresshallcoverthescope,frequency, methodologiesandcompetencies,aswellastheresponsibilitiesandrequirementsfor conductingauditsandreportingresults.Wherepossible,auditsshallbeconductedby personnelindependent2ofthosehavingdirectresponsibilityfortheactivitybeingexamined. TheauditprogramshallincludethefollowingAuditcriteria: TheAuditcriteriaforPDstorageandtransportactivitiesshallbeatleastin compliancewiththeISO28000:2007Specificationforsecuritymanagementsystems forthesupplychain. TheAuditcriteriafortheKeyManagementprocessesshallbeatleastincompliance withX9TR392009andPINSecurityRequirementsVersion2.0

2 NOTE: The phrase personnel independent does not necessarily mean personnel external to the organization.

LifecycleofaSecurePaymentDevice: PostManufacturingStage June6,201Revision3.0

Page29

13
13.1

Rationale
SPVASecurityRequirementsMap SPVA
Post_Manufacturing_Sec_Req_1

ISO PTS ISO13491:1 13491:2

F1 F2 7.3.2 A41 A32 A36 A42 A43 A37 A40/F9 B20/E5 B21 E2/F3/F19 E4 F2 F15

PIN Security

Post_Manufacturing_Sec_Req_2

7 4 4 5 5 6/7 1 5/4/7 7 3/4 4 3 3/4 3/4 3 2 4 7

Post_Manufacturing_Sec_Req_3 F3 Post_Manufacturing_Sec_Req_4

Post_Manufacturing_Sec_Req_5

F16 F17 F18 F20 F21 F22 G1 G2 H1H22

LifecycleofaSecurePaymentDevice: PostManufacturingStage June6,201Revision3.0

Page30

13.2
13.2.1

SPVASecurityRequirementsCoverage
SecurePostManufacturingProcesses Integrity:CoveredbySPVA_Post_Manufacturing_Req_2. Accountability:CoveredbySPVA_Post_Manufacturing_Req_2.

13.2.2

InitialKeyLoading Confidentiality:CoveredbySPVA_Post_Manufacturing_Req_4. Integrity:CoveredbySPVA_Post_Manufacturing_Req_2, SPVA_Post_Manufacturing_Req_3andSPVA_Post_Manufacturing_Req_4. Accountability:CoveredbySPVA_Post_Manufacturing_Req_4and SPVA_Post_Manufacturing_Req_4.. Authenticity:CoveredbySPVA_Post_Manufacturing_Req_3. Nonrepudiation:CoveredbySPVA_Post_Manufacturing_Req_4.

13.2.3 SecureDeliveryandStorage Authenticity:CoveredbySPVA_Post_Manufacturing_Req_1. Nonrepudiation:CoveredbySPVA_Post_Manufacturing_Req_1.

13.2.4 IncidentManagement Confidentiality:CoveredbySPVA_Post_Manufacturing_Req_5. Integrity:CoveredbySPVA_Post_Manufacturing_Req_5. Accountability:CoveredbySPVA_Post_Manufacturing_Req_5. Authenticity:CoveredbySPVA_Post_Manufacturing_Req_5.

13.2.5 SPVAAUDIT Preventingordetecting:SPVA_Post_Manufacturing_Aud_Req_1

LifecycleofaSecurePaymentDevice: PostManufacturingStage June6,201Revision3.0

Page31

13.3

SPVAKeyloadingScenarios
Therearetwoscenariosforkeyloading.InbothscenariostheInitialKeyisloadedatthe pointofmanufacturingincompliancewithrequirement SPVA_Post_Manufacturing_Sec_Req_4. ThetwoscenariosdifferinthelocationtheCustomerkeysareloaded.Inthesecond scenariotheCustomerkeysareloadedundertheCustomersresponsibility. InbothscenariostheCustomerkeysmustbeloadedincompliancewith SPVA_Post_Manufacturing_Sec_Req_4. Forthesecondscenario,itisappropriatetodiscussthekeymanagementprocessasbeing bothnecessaryandsufficient.TheInitialkeyisnecessarytoinsuretheintegrityand authenticityofthePDduringitscompletelifecycle. ThePDmanufacturermustprovidetheappropriatedinformationandsecuritymechanismto validatetheauthenticityandintegrityofthePD. SufficiencyisprovidedbyallowingtheInitialKeyFacilitytoverifythePDauthenticityand integritybasedontheVendorKeysbeforestartingtheCustomerKeyloadingprocess.

LifecycleofaSecurePaymentDevice: PostManufacturingStage June6,201Revision3.0

Page32

1. Initial Key and second-tier key loaded at point of manufacturer

2. Initial Key loaded at point of manufacturer and second-tier key loaded at point of customer.

LifecycleofaSecurePaymentDevice: PostManufacturingStage June6,201Revision3.0

Page33

14

References
PCIPEDSecurityRequirementsVersion2.1.January2009 ISO134911:2007BankingSecurecryptographicdevices(retail)Concepts, requirementsandevaluationmethods ISO134912:2000BankingSecuritycompliancechecklistsfordevicesusedin magneticstripecardsystems. ISO115681:2005BankingKeymanagement(retail).Principles. ISO115684:2007BankingKeymanagement(retail)Part4:Asymmetric cryptosystemsKeymanagementandlifecycle. ISO115685:2005BankingKeymanagement(retail)Keylifecycleforpublickey cryptosystems. ISOIEC117701:1996InformationtechnologySecuritytechniquesKey managementPart1:Framework ISOIEC117703:1996InformationtechnologySecuritytechniquesKey managementPart3:Mechanismsusingasymmetrictechniques. ISO157821:2003_BankingCertificateManagement(PublicKeyCertificates) ISO28000:2007Specificationforsecuritymanagementsystemsforthesupplychain. ANSX9.421998,PublicKeyCryptographyforTheFinancialServiceIndustry. ANSX9.791:2001.Part1:PKIPracticesandPolicyFramework. PaymentCardIndustry:PINSecurityRequirementsVersion2.0January2008.VISA PINSecurityProgram:AuditorsGuideVersion2January2008.VISA CryptographicKeyInjectionFacility:AuditorsGuideVersion1.0January2008.VISA PaymentCardIndustryPINSecurityRequirementsMarch2008.MasterCard. PCIPINSecurityRequirementsVersion2.0January2008.VISA ANSIX9TR392009.TG3RetailFinancialServicesComplianceGuidelinePart1:PIN SecurityandKeyManagement. CobIT4.1(ControlObjectivesforInformationandrelatedTechnology).ISACA
Page34

LifecycleofaSecurePaymentDevice: PostManufacturingStage June6,201Revision3.0

15
15.1

Appendix1SPVARequirementsUpdatedAfterPCIPTS v3.(April2010)
Introduction
ThePaymentCardIndustryPINTransactionSecurity(PTS)standardfollowsadefined36 monthlifecycle.TheexpirationofPCIPTSv2.1requirementsdateisdefinedbythePCISSC, April2011. ThePCIPTSVersion3.0introducessignificantchangesinhowPCIwillbeevaluatingPIN acceptanceonPOIterminals.ThePCIPTSVersion3.0documentisanevolutionofthe previousversionsandsupportsanumberofnewfeaturesintheevaluationofPOIdevices. ThePCIPTSVersion3.0document,likeversion2.1(January2009),isonlyconcernedwiththe devicemanagementforPINacceptancePOIdevicesuptothepointofinitialkeyloading. Subsequenttoreceiptofthedeviceattheinitialkeyloadingfacility,theacquiringfinancial institutionanditsagents(e.g.,merchantsandprocessors)areresponsibleforthedeviceand arecoveredbytheoperatingrulesoftheparticipatingPCIpaymentbrandsandthePCIPIN SecurityRequirements.

15.2 PCIPTSv3Requirements:ManufacturerandInitialKeyLoading No. Securitycompliancestatement

M1 Thedeviceisshippedfromthemanufacturersfacilitytotheinitialkeyloading facility,andstoredenrouteunderauditablecontrolsthatcanaccountforthe locationofeveryPEDateverypointintime. Proceduresareinplacetotransferaccountabilityforthedevicefromthe manufacturertotheinitialkeyloadingfacility. Whileintransitfromthemanufacturersfacilitytotheinitialkeyloadingfacility,the deviceis: Shippedandstoredintamperevidentpackaging;and/or Shippedandstoredcontainingasecretthatisimmediatelyandautomatically erasedifanyphysicalorfunctionalalterationtothedeviceisattempted,that canbeverifiedbytheinitialkeyloadingfacility,butthatcannotfeasiblybe determinedbyunauthorizedpersonnel. Thedevelopmentsecuritydocumentationmustprovidethemeanstotheinitialkey loadingfacilitytoassuretheauthenticityoftheTOEsecurityrelevantcomponents. Ifthemanufacturerisinchargeofinitialkeyloading,thenthemanufacturermust verifytheauthenticityofthePOIsecurityrelatedcomponents. Ifthemanufacturerisnotinchargeofinitialkeyloading,themanufacturermust providethemeanstotheinitialkeyloadingfacilitytoassuretheverificationofthe authenticityofthePOIsecurityrelatedcomponents.
Page35

M2 M3

M4 M5 M6

LifecycleofaSecurePaymentDevice: PostManufacturingStage June6,201Revision3.0

No. Securitycompliancestatement
M7 M8 Eachdeviceshallhaveauniquevisibleidentifieraffixedtoit. Thevendormustmaintainamanualthatprovidesinstructionsfortheoperational managementofthePOI.Thisincludesinstructionsforrecordingtheentirelifecycle ofthePOIsecurityrelatedcomponentsandofthemannerinwhichthose componentsareintegratedintoasinglePOI,e.g.: Dataonproductionandpersonalization Physical/chronologicalwhereabouts Repairandmaintenance Removalfromoperation Lossortheft

15.3

SPVASecurityRequirementsMap PCI/PTSV.3 PCI/PTSV.2 SPVA

M1 M2 M3 M4 M5 M6 M7 M8 F1 F2 F3 Post_Manufacturing_Sec_Req_1 Post_Manufacturing_Sec_Req_2 Post_Manufacturing_Sec_Req_3 Post_Manufacturing_Sec_Req_3 Post_Manufacturing_Sec_Req_4 Scenario1 Post_Manufacturing_Sec_Req_4 Scenario2 Post_Manufacturing_Sec_Req_2 Redefinitionrequired NewRequirement

15.4
15.4.1

SPVACertificationRequirements
SPVA_Post_Manufacturing_Sec_Req_2(Redefined) SPVARequirementsDefinition:Documentedproceduresexistandarefollowedtoensure thattransferofaccountabilityforthedevicefromthemanufacturertotheinitialkeyloading facilityiscompleted. Therearefourobjectivesundertheaccountabilityrequirement: Identification:TheprocessusedtorecognizeanindividualPD.Eachdeviceshallhave auniquevisibleidentifieraffixedtoit. Authentication:TheprocessusedtovalidatetheclaimedidentityofthePD.

LifecycleofaSecurePaymentDevice: PostManufacturingStage June6,201Revision3.0

Page36

Nonrepudiation:Theprocessofensuringthatapartyinadisputecannotorrefute thevalidityoftheassumptionofaPDresponsibility.(Ownershipchange.) Lostdetectionandprevention. Traceability:Auditinformationmustbeselectivelykeptandprotectedsothatactions affectingsecuritycanbetracedtoeacheveryPD.

15.4.2 SPVA_Post_Manufacturing_Sec_Req_5(NewRequirement) SPVARequirementsDefinition(SameasPCIPTSv3):Thevendormustmaintainamanual thatprovidesinstructionsfortheoperationalmanagementofthePOI.Thisincludes instructionsforrecordingtheentirelifecycleofthePOIsecurityrelatedcomponentsandthe mannerinwhichthosecomponentsareintegratedintoasinglePOI,e.g.: Dataonproductionandpersonalization Physical/chronologicalwhereabouts Repairandmaintenance Removalfromoperation Lossortheft

SPVARecommendedImplementation:EachPDvendorshalldefineaprocesstoenforcethis requirement.Anauditandmonitoringplanshouldbedefinedtoobtainevidencethatthe processisfollowedasexpected.

LifecycleofaSecurePaymentDevice: PostManufacturingStage June6,201Revision3.0

Page37