Revision3.0 June6,2011
TableofContents
1 2 3 4 5 6 7 8 Overview .............................................................................................................................................. 5 Abbreviations .......................................................................................................................................6 Glossary ................................................................................................................................................ 7 StageDefinition ...................................................................................................................................8 StagesandProcesses ..........................................................................................................................9 Assumptions....................................................................................................................................... 10 StageSecurityObjectives................................................................................................................... 11 ApplicableStandards ..........................................................................................................................12 8.1 8.1.1 ApplicableStandardsSecurityRequirements ...........................................................................13 PINTransactionsSecurityVersion2.1,January2009 ............................................................13 DeviceManagementRequirements ..............................................................................13
8.1.1.1 8.1.2
ISO134911 ............................................................................................................................. 14
8.1.4.1 8.1.5
8.1.5.1 8.1.6
8.1.7.1
Page2
8.1.8
10
11 12
12.1.1 SPVA_Post_Manufacturing_Sec_Req_1 ............................................................................... 27 12.1.2 SPVA_Post_Manufacturing_Sec_Req_2............................................................................... 27 12.1.3 SPVA_Post_Manufacturing_Sec_Req_3............................................................................... 28 12.1.4 SPVA_Post_Manufacturing_Sec_Req_4 .............................................................................. 28 12.1.5 SPVA_Post_Manufacturing_Sec_Req_5............................................................................... 28 12.1.6 SPVA_General_Req................................................................................................................ 28 12.2 SPVAAuditControlObjectives.................................................................................................. 29
Page3
13.1 13.2
13.2.1 SecurePostManufacturingProcesses ..................................................................................31 13.2.2 InitialKeyLoading...................................................................................................................31 13.2.3 SecureDeliveryandStorage ..................................................................................................31 13.2.4 IncidentManagement ............................................................................................................31 13.2.5 SPVAAUDIT.............................................................................................................................31 13.3 14 15 SPVAKeyloadingScenarios ...................................................................................................... 32
References ......................................................................................................................................... 34 Appendix1SPVARequirementsUpdatedAfterPCIPTSv3.(April2010) ....................................... 35 15.1 15.2 15.3 15.4 Introduction ............................................................................................................................... 35 PCIPTSv3Requirements:ManufacturerandInitialKeyLoading........................................... 35 SPVASecurityRequirementsMap ............................................................................................36 SPVACertificationRequirements..............................................................................................36
Page4
Overview
ThemainpurposeofthisdocumentistodefinetheSPVAsecurityrequirementsapplicable forthePostManufacturingStageofapaymentdevice. SPVAhasperformedathoroughanalysisofthecurrentsecuritystandardsforPOSterminals duringthePostManufacturingStage.Thepurposeoftheanalysiswastoestimateany potentialmissinginformationinsecuritystandardsinordertoachievefullcoverageas mandatedbytheSPVAboard.Thisdocumentrepresentstheconclusionsofthiseffort. ThisdocumentonlyfocusesonthePostManufacturingStagewhichcoversthemomentthe terminalhasbeenproducedtothemomenttheterminalisloadedwiththecustomerkeys. TheSPVATWG2hadthefollowingmemberswhoworkedonthisdocument: Chairman:RobertoFaans,Hypercom.Othermembersinclude:
OrganizationRepresented Representative
Hypercom Ingenico MustangMicroSystems,Inc MustangMicroSystems,Inc. PAXSZ Verifone Verifone Isabel Yann Tami Tom Alex Doug Sadiq BardsleyGarcia Levenez Harris Galloway DongDQ Manchester Mohammed
Page5
Abbreviations
DESAsymmetricmethodknownasDataEncryptionStandard ISOInternationalStandardsOrganization NISTNationalInstituteofStandardsandTechnology PCIPaymentCardIndustry PCISSCPCISecurityStandardsCouncil PDPaymentDevice PEDPOSPINEntryDevice PTSPINTransactionSecurity POSPointofSale RSAAnasymmetricmethoddevelopedbyRivestShamirandAdelman SPAdocumentfromNIST:SpecialPublication SPVASecurePOSVendorAlliance TDEAAmethodusingDESthreetimesinsequence(i.e.encryptdecryptencrypt)usingtwo orthreekeysconformingtotheTripleDataEncryptionAlgorithm. TWGTechnicalWorkingGroup
Page6
Glossary
AsymmetricKeysComprisedofapairofkeys,onePublic,theotherPrivate,thatareused toaccomplishsecurecommunicationandauthentication.RSAalgorithmuses asymmetrickeys.MoreinformationcanbefoundinX9.24part2. CustomerKeyAkeyunderCustomermanagementresponsibility,usuallyanacquirer. InitialKeyThekeythatisusedtoassuretheintegrityandauthenticityofthePDduringthe fullLifecycleofaSecurePaymentDevice. InitialKeyloadingProcessforCustomerKeyloading. PaymentDevicetrustestablishmentAprocesstoestablishthetrustrelationshipbetween PDandPDmanufacturer. SymmetricKeysComprisedofasinglekeythatissharedbetweentwoormorepartiesand keptsecret(i.e.private)usedtoaccomplishsecurecommunications.Symmetrickeys canbeusedformessageauthentication(i.e.MAC).DESandTDEAaretwoofseveral symmetrickeymethods.MoreinformationcanbefoundinX9.24part1. VendorKeysAsymmetricKeypairsunderPDmanufacturermanagementresponsibility.
Page7
StageDefinition
ThePostManufacturingStageconsistsofthetransportandstorageofthePDuptoand includinginitialkeyloading(ISO134911:2007) Thisistheonlystagecoveredinthisdocument.Otherstagesaredefinedinthefollowing tablewiththedifferenttransitionphases.Someoftheseotherstageswillbestudiedin futureSPVAdocumentsforSecureDeviceLifecycleManagement.
Page8
StagesandProcesses
Transition LifecyclePhase Event
PreManufacturing Manufacturing Post Manufacturing PreUse Completion
Processes
Audit IncidentManagementProcesses SecureDeliveryandStorageProcesses
Secure Manufacturing InitialKeyLoading Processes Installation Secure Deployment Processes SecureinField Device Management Processes
SecureDevelopment&Updated
Use
Removal Reinstallation
Repair,upgrade PostUse
DeviceRepair Processes
Destruction Main
SecureDeliveryandStorageProcesses PaymentDeviceSecuritizationProcess(InitialKeyLoading)
Page9
Assumptions
ThemomentthePaymentDevice(PD)reachesthePostManufacturingStage,itmustbeable toperform,atminimum,thefollowingfunctions: Triggeranactionasaresponsetotamperdetection Loadauthenticatedsoftware
Inotherwords,thePDisaworkingdevicewiththeabilitytorunauthenticatedsoftwareand thesecuritymechanismsthatarerequiredtoprovidearesponsetotamperdetection.
Page10
StageSecurityObjectives
Confidentiality Accountability Authenticity Non repudiation Availability Integrity
SecureDeliveryandStorage IncidentManagementProcesses
Confidentiality:Sensitiveinformationisnotdisclosedtounauthorizedindividuals, entities,orprocesses.[ISO180282:2006] Integrity:Safeguardingtheaccuracyandcompletenessofassets.[ISO/IECISO13335 1:2004][ISO27001:2005][ISO133351:2004] Accountability:Actionsofanentitymaybetraceduniquelytotheentity.[ISO7498 2:1989] Authenticity:Authentic,trustworthy,orgenuine. Nonrepudiation:Providesassuranceoftheintegrityandoriginofdatainsuchaway thattheintegrityandorigincanbeverifiedbyathirdpartyashavingoriginatedfrom aspecificentityinpossessionoftheprivatekeyoftheclaimedsignatory.[NIST SP80057:2007] Availability:Accessibleanduseableupondemandbyanauthorizedentity.[ISO/IEC ISO133351:2004][ISO180282:2006][ISO27001:2005][ISO133351:2004]
Page11
ApplicableStandards
Themainstandardsthatareappliedtothisstageoftheprocessare definedasfollows: PaymentCardIndustry(PCI)POSPINEntryDeviceSecurity Requirements(PTS1)Version2.1January2009: Thisdocumentisonlyconcernedwiththedevicemanagementfor pointofsalePEDsuptothepointofinitialkeyloading.Subsequentto receiptofthedeviceattheinitialkeyloadingfacility,theacquiring financialinstitutionanditsagents(e.g.,merchantsandprocessors) areresponsibleforthedeviceandarecoveredbytheoperatingrules oftheAssociationsandthePCIPINSecurityRequirements. ISO134911:2007BankingSecurecryptographicdevices(retail) Concepts,requirementsandevaluationmethods: ISO13491describesboththephysicalandlogicalcharacteristicsand themanagementofthesecurecryptographicdevicesusedtoprotect messages,cryptographickeysandothersensitiveinformationusedin aretailfinancialservicesenvironment. ThispartofISO13491hastwoprimarypurposes: Tostatetherequirementsconcerningboththeoperationalcharacteristicsof SCDsandthemanagementofsuchdevicesthroughoutallstagesoftheir lifecycle,and Tostandardizethemethodologyforverifyingcompliancewiththose requirements.
PTS(PINTransactionSecurity)formerPCIPED
Page12
PCIPINSecurityRequirementsVersion2.0January2008(Visa): Thisdocumentcontainsacompletesetofrequirementsforthe securemanagement,processingandtransmissionofPersonal IdentificationNumber(PIN)dataduringonlineandofflinepayment cardtransactionprocessingatATMs,andattendedandunattended pointofsale(POS)terminals. ANSIX9TR392009.TG3RetailFinancialServicesCompliance GuidelinePart1:PINSecurityandKeyManagement: ThePINSecurityComplianceGuidelineisintendedtobeusedto implementauniformsecurityreview.Thisguidelinepresents mandatoryControlObjectivesrelatingtogeneralproceduresand controls.ThemandatoryControlObjectivesarebasedon requirementssetforthinthefollowing: X9.812003Part1:(PersonalIdentificationNumber(PIN)Managementand Security) X9.2412004(RetailFinancialServicesSymmetricKeyManagement,Part1:Using SymmetricTechniques) X9.24Part2:2006(RetailFinancialServicesSymmetricKeyManagement,Part2: UsingAsymmetricTechniquesforDistributionofSymmetricKeys).
8.1
8.1.1
ApplicableStandardsSecurityRequirements
PINTransactionsSecurityVersion2.1,January2009
8.1.1.1 DeviceManagementRequirements
DescriptionofRequirement
Page13
8.1.2
ISO134911
No. DescriptionofRequirement
Untilaninitialkeyhasbeenloaded,itisnecessarytodetectacompromise butnottopreventit. Ifacompromiseisdetected,itisonlynecessarytoensurethatkeysare notinjectedintothedeviceanditisnotplacedinserviceuntilalleffectsof thecompromisehavebeeneliminatedfromit.
8.1.3.1 DeviceManagement
No. Securitycompliancestatement
A32 Forauditandcontrolpurposes,theidentityofthedevice(e.g.itsserial number)canbedetermined,eitherbyexternaltamperevidentmarking orlabeling,orbyacommandthatcausesthedevicetoreturnitsidentity viatheinterfaceorviathedisplay. A36 Ifadevicedoesnotyetcontainasecretcryptographickeyandthereis anattackonadevice,oradeviceisstolen,thenproceduresareinplace topreventthesubstitutionoftheattackedorstolendevicefora legitimatedevicethatdoesnotyetcontainasecretcryptographickey. A37 Ifnosensitivestateexistsinthedevice,theloadingofplaintextkeyswill beperformedunderdualcontrol. 8.1.3.2 DeviceProtectionbetweenManufacturerandPreuse
No. Securitycompliancestatement
A40 Thetransfermechanismsbywhichplaintextkeys,keycomponentsor passwordsareenteredintothedeviceareprotectedand/orinspectedso astopreventanytypeofmonitoringthatcouldresultinthe unauthorizeddisclosureofanycomponentorpassword. A41 Subsequenttomanufacturingandpriortoshipment,thedeviceisstored inaprotectedareaorsealedwithintamperevidentpackagingto preventundetectedunauthorizedaccesstoit.
Page14
No. Securitycompliancestatement
A42 Thedeviceisshippedintamperevidentpackaging,andinspectedto detectunauthorizedaccesstoit;or beforeadeviceisloadedwithcryptographickeys,itisclosely inspectedbyqualifiedstafftoensurethatithasnotbeensubjectto anyphysicalorfunctionalmodification;or thedeviceisdeliveredwithsecretinformationthatiserasedif tamperingisdetectedtoenabletheusertoascertainthatthedevice isgenuineandnotcompromised. NOTE:Oneexampleofsuchinformationistheprivatekeyofan asymmetrickeypair,withthepublickeyofthedevicesignedbyaprivate keyknownonlytothesupplier. A43 Thedeviceisloadedwithinitialkey(s)inacontrolledmanneronlywhen thereisreasonableassurancethatthedevicehasnotbeensubjectto unauthorizedphysicalorfunctionalmodification. 8.1.4 AnnexB.DeviceswithPINEntryFunctionality
8.1.4.1 PINentryDeviceProtectionduringInitialKeyLoading
No. Securitycompliancestatement
B20 ArepairedPINentrydeviceisnotreloadedwiththeoriginalkey(except bychance). B21 Automatedtechniquesareused,ormanualproceduresareinplaceand arefollowed,toensureeachPINentrydeviceisgivenatleastone statisticallyuniquekeyunknowntoanypersonandneverpreviously given(exceptbychance)toanyotherPINentry
8.1.5 AnnexE.DeviceswithKeyGenerationFunctionality
8.1.5.1 LogicalSecurityCharacteristics
No. Securitycompliancestatement
E2 Thedeviceskeymanagementfunctionsaredesignedsothatno disclosureofanykeyispossiblewithoutcollusionbetweentrusted individuals.Specifically: thedevice'shighestlevelkeysaremanuallyloadedasatleasttwo componentsunderdualcontrol; anyfunctionusedtoinputoroutputkeycomponentsdoesnot operateuntilatleasttwodifferentpasswordshavebeenentered.
Page15
No. Securitycompliancestatement
E3 Thedevicedecomposesanactualkeyintokeycomponentsinsucha waythatnoactivebitofthekeycouldbedeterminedwithoutthe knowledgeofallcomponents. Forexample,thecomponentsareexclusiveor'edtogethertoformthe key. KeygenerationmethodscomplywithISO11568. Eachcalltoobtainageneratedkeyyieldsadifferent,statistically uniquekey(exceptbychance).
E4 E5
8.1.6
AnnexF.DeviceswithKeyTransferandLoadingFunctionality
8.1.6.1 LogicalSecurityCharacteristics
No. Securitycompliancestatement
F2 F3 Encipheredprivatekeysareprotectedagainstkeysubstitutionand modification. Thedevice'skeymanagementfunctionsaredesignedsothatno disclosureofanykeyispossiblewithoutcollusionbetweentrusted individuals.Specifically: thedevice'shighestlevelkeysaremanuallyloadedasatleasttwo components; anyfunctionusedtoinputoroutputkeycomponents,exceptfor thedevice'scomponents.
8.1.6.2 DeviceManagement
No. Securitycompliancestatement
F9 Thetransfermechanismsbywhichkeys,componentsorpasswordsare transferredintooroutofthedeviceareprotectedand/orinspectedso astopreventanytypeofmonitoringthatcouldresultinthe unauthorizeddisclosureofanykeys,componentsorpasswords. Controlsareinplacetodetecttheunauthorizedremovalofthedevice from,anditsunauthorizedreplacementbackinto,itsauthorized location. Thedeviceisloadedwithakeycomponentunderthedirect supervisionofapersonwhoisallowedaccesstothiscomponent,and onlywhenthereisreasonableassurancethatthereisnobugor otherdisclosingmechanismonthepaththatthekeycomponent traversesfromthekeygenerationdevicetothetransportdeviceitself.
F14
F15
Page16
No. Securitycompliancestatement
F16 Ifthedevicecontainsaplaintextkeycomponent,thedeviceiseither underthecontinuoussupervisionofapersonwhoisallowedaccessto thiscomponent(andwhoisawareofhis/herresponsibilitiestoensure thesecrecyofthiscomponent),orelseislockedorsealedinasecurity containerthatcannotfeasiblybeopenedwithoutdetectionbyanyone otherthanthosewhoareallowedaccesstothecomponent. Thedeviceisusedtoinjectacomponentintoacryptographicdevice onlyunderthedirectsupervisionofapersonwhoisallowedaccessto thiscomponent,andonlywhenthereisreasonableassurancethat thereisnobugorotherdisclosingmechanismonthepaththatthe keycomponenttraversesfromthekeytransportdevicetothe cryptographicdevice. Thetransferofakeytoanothersecurecryptographicdeviceuses either: asecurecommunicationspath,or asecurekeytransferdevice,or asecurecryptographicpath,or iscarriedoutinasecureenvironment. Nopersonwithknowledgeoforaccesstooneofthepasswordsor physicalkeysrequiredtooutputakeyfromthedevicehasknowledge oforaccesstoanyothersuchpasswordorphysicalkeyofthisdevice. Thedeviceisloadedwithaplaintextkeyonlyunderthedirect supervisionofatleasttwoauthorizedpeople,bothofwhomensure thatthereisnobugorotherdisclosingmechanismonthepaththat thekeytraversesfromthekeygenerationdevicetothekeytransport deviceitself. Thedeviceisusedtoinjectaplaintextkeyintoacryptographicdevice onlyunderthedirectsupervisionofatleasttwoauthorizedpeople, bothofwhomensurethatthereisnobugorotherdisclosing mechanismonthepaththatthekeytraversesfromthekeytransport devicetothecryptographicdevice
F17
F18
F19
F20
F21
Page17
No. Securitycompliancestatement
F22 Functionalityneededtoimport,export,ortransfercryptographickeys fromexternalsourcesensuresthatthekeysareinoneormoreofthe followingforms: encipheredunderthepropervariantofasymmetrickey enciphermentkey; encipheredundertheasymmetricpublickeyoftherecipient; encipheredwithanimportkeybeingspecificallyenabledfora limitedtimeandlimitednumberoffunctioncalls; inputunderdualormultiplecontrolthroughthesecureoperator interface,incomponentssuchthatfullknowledgeofallbutone componentgivesnousableinformationonanybitofthe cryptographickey; publickeysareenteredunderdualcontrolorencipheredunderthe appropriatekeyorsignedasrequiredtoensureauthenticity.
8.1.7
AnnexGDeviceswithDigitalSignatureFunctionality
8.1.7.1 DeviceManagement
No. Securitycompliancestatement
G1 Ifnonrepudiationisclaimedthen: theasymmetricprivateandpublickeypairisgeneratedwithinthe digitalsignaturedevice;and theasymmetricprivatekeyisnotexportedoutsidetheoriginal digitalsignaturedeviceforanyreason,includingbackupand archivalpurposes. Forauditandcontrolpurposes,thebindingbetweenthepublickeyand theidentityoftheowneroftheprivatekeyisreadilydeterminedbyuse of: publickeycertificates,wherethepublickeycertificatewas obtainedfromanauthorizedcertificateauthority,or publickeycertificatesandappropriatecertificatemanagement procedures,or otherequivalentmechanismstoirrefutablydeterminetheidentity oftheownerofthecorrespondingprivatekey.
G2
8.1.8
AnnexHCategorizationofEnvironments
8.1.8.1 MinimallyControlledEnvironments
No. Securitycompliancestatement
H1 Authorizedaccessisrestrictedbyphysicallocksorsupervisedaccess pointstoauthorizedstaff,andpersonsaccompaniedbyauthorized
Page18
No. Securitycompliancestatement
staff. H2 H3 Theenvironmentprovidesfacilitiesforsecurefasteningofdeviceswith lockablefasteningmechanisms,ifsuchdevicesaretobeinstalled. Aminimallycontrolledenvironmentshallremainintactuntilallkeysand othersecretdatastoredindeviceswithintheenvironmentare destroyedoruntilallsuchdevicesareremovedfromtheenvironment.
8.1.8.2 ControlledEnvironments
No. Securitycompliancestatement
H4 Authorizedaccessisrestrictedbyphysicallocksandcontinually supervisedaccesspointstoauthorizedstaff,andpersonsaccompanied byauthorizedstaff. Anyaccessbyotherthanauthorizedstaffislogged,andthelog securelykeptandperiodicallyaudited. Thedevicesareeither: infullviewatalltimesofatleasttwostaffmemberswhohave beeninstructedtocheckthedevicesforsignsofattacksor presenceofanyotherpersonsatthedevices;or inviewofavideocamera(throughaclosedvideosystem)being monitoredatleastonceeveryX/2min,orwhenevermovement closetothedevicesisautomaticallydetected;bypersonswhohave beenspecificallytaskedwithcheckingthedevicesforsignsof attacks. NOTE:ThetimeX/2minishalfthetimeXminwhichisthetime estimatedtosuccessfullypenetratetheequipmentinorderto: makeanyadditions,substitutions,ormodifications(e.g.the installationofabug)tothehardwareorsoftwareofthedevice;or determineormodifyanysensitiveinformation(e.g.PINs,access codes,andcryptographickeys),andthensubsequentlyreinstallthe device,withoutrequiringspecializedskillsandequipmentnot generallyavailable,andwithoutdamagingthedevicesoseverely thatthedamagewouldhaveahighprobabilityofdetection. Therearenoentryorexitpointsforpeopleorequipmentexceptfor continuallysupervisedaccesspoints,e.g.watchedbyguardswhohave beeninstructednottopermitanyimportorexportofequipment withoutwrittenauthorizationidentifyingtheequipment,signedbyan authorizedpersonotherthanthepersonmovingtheequipment. Itisnotfeasibletogainunauthorizedaccesstothecontrolled environment,orimportorexportequipment,fromundertheflooror fromabovetheceiling.
H5 H6
H7
H8
Page19
8.1.8.3 SecureEnvironments
No. Securitycompliancestatement
H9 Authorizedaccessisrestrictedbyphysicallocksandcontinually supervisedaccesspointstopairsofauthorizedstaffandpersons accompaniedbypairsofauthorizedstaff.Accesspointsthatarenot supervisedarelockedandalarmed,sothatanyentryorexitcauses interventionbyguards. Anynonauthorizedperson(s)requiringaccesstothesecure environmentwillbesupervisedatalltimesbyatleasttwoauthorized personswhilstinthesecureenvironment. Allaccessestothesecureenvironmentarelogged,andthelogsecurely keptandperiodicallyaudited. Allpossibleaccesspointstothesecureenvironmentareeither: infullviewatalltimesofatleasttwoauthorizedstaffmembers whohavebeeninstructedtocheckthedevicesforsignsofattacks; or inviewofavideocamera(throughaclosedvideosystem)coupled withcircuitrythatautomaticallyraisesanalarmwhenever movementclosetothedevicesisdetectedortamperdetection circuitryisactivated.Evenwhennoalarmisraised,thecamerais monitoredatleastonceevery10min.Theimagesarewatchedby personswhohavebeenspecificallytaskedwithcheckingthesecure environmentforsignsofattacks. Therearenoentryorexitpointsforpeopleorequipmentexceptfor continuallysupervisedaccesspoints,watchedbyguardswhohave beeninstructednottopermitanyimportorexportofequipment withoutwrittenauthorizationidentifyingtheequipment,signedbyan authorizedpersonotherthanthepersonmovingtheequipment. Ifthesecureenvironmentisimplementedasasecuredroom,thenthe device(s)inthesecureenvironmentareinviewofavideocamera (throughaclosedvideosystem)coupledwithcircuitrythat automaticallyraisesanalarmwhenevermovementclosetothedevices isdetectedortamperdetectioncircuitryisactivated.Evenwhenno alarmisraised,thecameraismonitoredatleastonceevery10min.The imagesarewatchedbypersonswhohavebeenspecificallytaskedwith checkingthesecureenvironmentforsignsofattacks. Thesecureenvironmentprovidesatmostlimitedopportunityfor concealmentofactivityandforthestorageoftoolsandother equipment Asecureenvironmentremainssuchuntilallkeysandothersecretdata storedindeviceswithintheenvironmentaredestroyedoruntilallsuch devicesareremovedfromtheenvironment
H10
H11 H12
H13
H14
H15
H16
Page20
No. Securitycompliancestatement
H17 Thesecureenvironmentcontainseither: boththedeviceanditshost,andtherearecontrolsonthe environmentwhichpreventthedevicefrombeingconnectedto anyunauthorizeddevice,andonthehosttoensurethatexhaustive attacks(onPINs),usinglegitimatefunctioncalls,arenotfeasible;or thedevicealone,whichcontainssecuritymechanismsthatprotect againstexhaustiveattacks.
No. Securitycompliancestatement
1 PINsusedintransactionsgovernedbytheserequirementsare processedusingequipmentandmethodologiesthatensuretheyare keptsecure. Keysareconveyedortransmittedinasecuremanner. KeyloadingtohostsandPINentrydevicesishandledinasecure manner. Keysareusedinamannerthatpreventsordetectstheirunauthorized usage. Keysareadministeredinasecuremanner EquipmentusedtoprocessPINsandkeysismanagedinasecure manner
3 4 5 6 7
Page21
8.2
8.2.1
SecurityRequirementsAnalysis
SecurityRequirementsStandardsMap
PTS
F1 F2 F3
PIN Security
7 4 4 5 5 6/7 1 5/4/7 7 3/4 4 3 3/4 3/4 3 2 4 7
G2 H1H22
Page22
9
9.1
LifecycleProtectionMethods
ISO134911Requirements
Duringthisphase,auditingandcontrolproceduresshallbeimplementedwhichhave ahighprobabilityofpreventingordetectingtheunauthorizedalterationofthe deviceorthereplacementofthedevicewithacounterfeitsubstitute. Whichevermethodofkeygenerationisused,keyloadingshallbeperformedinsuch awaythatthesecretorprivatekeycannotbedeterminedwithoutcollusion. Immediatelypriortoinitialkeyloading,thereshallbeassurancethatthedevicehas notbeensubjecttounauthorizedmodificationorsubstitution.Thismaybe accomplishedby: Testingand/orinspectionofthedevice; Auditingandcontrolofthedevicepostmanufacture,orsubsequenttothemost recenttestingand/orinspectionofthedevice; Confirmationoftheexistencewithinthedeviceofsecretdatabythe manufacturerforthesolepurposeofconfirmingthelegitimacyofthedevice.
Devicemanagementshallprovidedetectionoftheftorunauthorizedremovalofthe device.
9.2
ProtectionMethodsAnalysis
UnlikeISO134911,PTSdoesnotmakeanydistinctionsbetweenrequirementsandprotection methodsthatmaybeusedtoprotectthedeviceduringitslifecyclephases.
Page23
10
10.1
AuditandControlPrinciples
PTS
PEDSecurityRequirements(managedbyPCISSC)areprimarilyconcernedwithdevice characteristicsimpactingthesecurityofthePINEntryDeviceusedbythecardholderduringa financialtransaction.Therequirementsalsoincludedevicemanagementuptothepointof initialkeyloading,buttheevaluationprocessonlyaddressesdevicecharacteristics. ThevendorisrequiredtobecompliantwiththePTSmanagementrequirements,butthePTS doesnotdefineanyDerivedTestRequirement(DTR)forPDmanagementrequirements.
10.2
ISO134911
ISO134911proposessomerecommendationstoallowsecuritystakeholderstocoverthePOS securityauditandcontrolinPostManufacturingstage. Auditingandcontrolproceduresshallbeimplementedwhichhaveahighprobabilityof preventingordetectingtheunauthorizedalterationofthedeviceorthereplacementofthe devicewithacounterfeitsubstitute. Anddefinesthreeevaluationmethods:informal,semiformalandformal. Ariskassessmentshallbeundertakenasanaidinchoosingwhichmethodologyis appropriate. InformalandsemiformalmethodscanusethechecklistsincludedintheISO134912.
No. Procedure
1 2 3 5 6 7 8 Oneormorepartiesresponsibleforthedevice. Carefulscreeningof,orcontrolover,personnelwithaccesstoadevice designedforuseinacontrolledenvironment Carefulscreeningof,orcontrolover,personnelwithaccesstoadevice designedforuseinaminimallycontrolledenvironment Controlmechanismsorsealingofthedeviceincounterfeitresistant, tamperevidentpackagingtopreventundetectedaccesstothedevice Preparationanduseofauditchecklists Verificationthatauditchecklistsarefilledoutaccurately,onatimely basis,andbyqualifiedpersonnel Keymanagementproceduresimplementedasspecifiedinthe appropriateInternationalStandard
Page24
No. Procedure
9 11 13 Accuratetrackingofeachdevice,bymeansofcomputerizedor manuallywrittenrecords Controlofthedistributionofdevicedocumentation
Documentedreportingprocedurestocausetimelydetectionofadevice thathasbeenremovedwithoutauthorizationfromstorageorfromits Mandatory operationallocation,orthathasdisappearedwhileintransit Controloverthemaintenanceprocessinorderthattheconfidentiality ofthedevicedesigncharacteristicsismaintained Secureenvironments:Asecureenvironmentprovidesanoutershellofprotectionaroundan insecuredeviceandmustbesignificantlymoresecurethanacontrolledenvironment.Itcan bearoomdesignedandbuiltforthisspecificpurposeoritcouldbeasafeorasecure cabinet.Whateverformthesecureenvironmenttakes,onlypersonswithauthorizedaccess tothedeviceshallhaveaccesstothesecureenvironment.Asecureenvironmentisoften locatedwithinacontrolledenvironment. Controlledenvironments:Acontrolledenvironmentissimilartonormalcomputerrooms wherethereareaccesscontrols,allowingaccessonlytoauthorizedpersonnel.Acontrolled environment,however,hasmorestringentaccesscontrolsandbothitsinteriorandthe entrancesareundersurveillance. Minimallycontrolledenvironments:Theserequirementsaimtodetectanattack,ortheft, withinagivenmaximumperiodoftime. Uncontrolledenvironments:Therearenosecurityrequirementsforuncontrolled environments. Mandatory/ Recommended
19
10.3
ISO134912
AnnexAtoHofthisstandardprovidesachecklistdefiningtheminimumevaluationforuse withallevaluationstoassesstheacceptabilityofcryptographicequipment.
Page25
11
Stakeholders
Vendors:PDvendorsmaybeimpactedbyensuringthattherequiredmechanismstoprovidesecurity
duringthisphaseasdefinedinthisdocumentareimplemented.
ManufacturersEMS.(ElectronicManufacturingServices.):Thesecompaniesmaybeimpacted
bysupportinganddeployingthesecuritymechanismsasdefinedbyPDVendorsinordertocomply withthesecurityrequirementsdefinedinthisdocument.
LogisticCompanies:Thesecompaniesmaybeimpactedbysupportinganddeployingthesecurity
mechanismstoguaranteetheintegrityandaccountabilityofthePDduringthestorageandtransport stepsofthisstage.
KeyInjectionServiceProviders:Thesecompaniesactinginbehalfofacquirersmaybeimpactedby
supportinganddeployingthesecuritymechanismstocomplywiththesecurityrequirementsdefined inthisdocumentforthekeyloadingprocess.
Acquirers:ThesecompaniesastheKeySchemeAuthoritymaybeimpactedbysupervisingtheKey
InjectionServiceProvidersobservanceofthesecurityrequirementsdefinedinthisdocumentforthe keyloadingprocess.
Auditors:ThesecompaniesmaybeimpactedinordertoestablishtestplansaccordingtoSPVA
recommendationsandtoauditanyPDmanagementactivityperformedbyanactorwhoisinterested injoiningSPVAalliance.
Page26
12
12.1
12.1.1
SPVACertificationRequirements
SPVASecurityRequirements
SPVA_Post_Manufacturing_Sec_Req_1 SPVARequirementsDefinition:Asecuritymanagementsystemshallbedefinedand implementedforsecurestorageandtransportactivities. SPVARecommendedImplementation:Thesecuritymanagementsystemshalldefinethe plansandprocedurestoenforcethatthestorageandtransportactivitiesareimplementedin compliancewiththeISO28000:2007Specificationforsecuritymanagementsystemsforthe supplychain.
12.1.2
SPVA_Post_Manufacturing_Sec_Req_2 SPVARequirementsDefinition:Documentedproceduresexistandarefollowedtoensure thattransferofaccountabilityforthedevicefromthemanufacturertotheinitialkeyloading facilityarecompleted. Therearefourobjectivesundertheaccountabilityrequirement: Identification:TheprocessusedtorecognizeanindividualPD. Authentication:TheprocessusedtovalidatetheclaimedidentityofthePD. Nonrepudiation:Theprocessofensuringthatapartyinadisputecannotorrefute thevalidityoftheassumptionofaPDresponsibility.(Ownershipchange.) Lostdetectionandprevention. Traceability:Auditinformationshallbeselectivelykeptandprotectedsothatactions affectingsecuritycanbetracedtoeachPD.
Page27
12.1.3
12.1.4
SPVA_Post_Manufacturing_Sec_Req_4 SPVARequirementsDefinition:Documentedproceduresexistandarefollowedto implementandoperateaKeyManagementInfrastructuretosupporttheenforcementofkey managementpracticesforgenerationand/oracquisition,distribution,protection,anduse (destruction)ofkeyingmaterialnecessarytoensurethePDauthenticity,integrityand (operability)undertheKeySchemeAuthority. SPVARecommendedImplementation:TheKeyManagementInfrastructureshalldefinethe plansandprocedurestoenforcethattheKeyManagementactivities,speciallytheKey Loadingprocess,areimplementedincompliancewiththeANSIX9TR392009andPIN SecurityRequirementsVersion2.0.
12.1.5
SPVA_Post_Manufacturing_Sec_Req_5 SPVARequirementsDefinition:Theorganizationshallestablish,implementandmaintain appropriateplansandprocedurestoidentifyandrespondtosecurityincidents. SPVARecommendedImplementation:Theplansandproceduresshalldefinethestepsthat personnelshallusetoensurethatsecurityincidentsareidentified,contained,investigated, andremedied.Theplansandproceduresalsoshallprovideaprocessfordocumentation, appropriatereportinginternallyandexternally,andcommunicationsothatorganizational learningoccurs.Finally,theplansandproceduresshallestablishresponsibilityand accountabilityforallstepsintheprocessofaddressingsecurityincidents. Theorganizationshallperiodicallyreviewtheeffectivenessofitsemergencypreparedness, responseandsecurityrecoveryplansandprocedures,inparticularaftertheoccurrenceof incidentsoremergencysituationscausedbysecuritybreachesandthreats.Theorganization shallperiodicallytesttheseplansandprocedureswhereverpracticable.
12.1.6
Page28
12.2
12.2.1
SPVAAuditControlObjectives
SPVA_Post_Manufacturing_Aud_Req_1 SPVARequirementsDefinition:Theorganizationshallestablish,implementandmaintaina securityauditprogramandshallinsurethatauditsofthesecuritysystemarecarriedoutat plannedintervals. SPVARecommendedImplementation:Theauditprogram,includinganyschedule,shallbe basedontheresultsofthreatandriskassessmentsoftheorganizationsactivities,andthe resultsofpreviousaudits.Theauditproceduresshallcoverthescope,frequency, methodologiesandcompetencies,aswellastheresponsibilitiesandrequirementsfor conductingauditsandreportingresults.Wherepossible,auditsshallbeconductedby personnelindependent2ofthosehavingdirectresponsibilityfortheactivitybeingexamined. TheauditprogramshallincludethefollowingAuditcriteria: TheAuditcriteriaforPDstorageandtransportactivitiesshallbeatleastin compliancewiththeISO28000:2007Specificationforsecuritymanagementsystems forthesupplychain. TheAuditcriteriafortheKeyManagementprocessesshallbeatleastincompliance withX9TR392009andPINSecurityRequirementsVersion2.0
2 NOTE: The phrase personnel independent does not necessarily mean personnel external to the organization.
Page29
13
13.1
Rationale
SPVASecurityRequirementsMap SPVA
Post_Manufacturing_Sec_Req_1
PIN Security
Post_Manufacturing_Sec_Req_2
Post_Manufacturing_Sec_Req_3 F3 Post_Manufacturing_Sec_Req_4
Post_Manufacturing_Sec_Req_5
Page30
13.2
13.2.1
SPVASecurityRequirementsCoverage
SecurePostManufacturingProcesses Integrity:CoveredbySPVA_Post_Manufacturing_Req_2. Accountability:CoveredbySPVA_Post_Manufacturing_Req_2.
13.2.2
Page31
13.3
SPVAKeyloadingScenarios
Therearetwoscenariosforkeyloading.InbothscenariostheInitialKeyisloadedatthe pointofmanufacturingincompliancewithrequirement SPVA_Post_Manufacturing_Sec_Req_4. ThetwoscenariosdifferinthelocationtheCustomerkeysareloaded.Inthesecond scenariotheCustomerkeysareloadedundertheCustomersresponsibility. InbothscenariostheCustomerkeysmustbeloadedincompliancewith SPVA_Post_Manufacturing_Sec_Req_4. Forthesecondscenario,itisappropriatetodiscussthekeymanagementprocessasbeing bothnecessaryandsufficient.TheInitialkeyisnecessarytoinsuretheintegrityand authenticityofthePDduringitscompletelifecycle. ThePDmanufacturermustprovidetheappropriatedinformationandsecuritymechanismto validatetheauthenticityandintegrityofthePD. SufficiencyisprovidedbyallowingtheInitialKeyFacilitytoverifythePDauthenticityand integritybasedontheVendorKeysbeforestartingtheCustomerKeyloadingprocess.
Page32
2. Initial Key loaded at point of manufacturer and second-tier key loaded at point of customer.
Page33
14
References
PCIPEDSecurityRequirementsVersion2.1.January2009 ISO134911:2007BankingSecurecryptographicdevices(retail)Concepts, requirementsandevaluationmethods ISO134912:2000BankingSecuritycompliancechecklistsfordevicesusedin magneticstripecardsystems. ISO115681:2005BankingKeymanagement(retail).Principles. ISO115684:2007BankingKeymanagement(retail)Part4:Asymmetric cryptosystemsKeymanagementandlifecycle. ISO115685:2005BankingKeymanagement(retail)Keylifecycleforpublickey cryptosystems. ISOIEC117701:1996InformationtechnologySecuritytechniquesKey managementPart1:Framework ISOIEC117703:1996InformationtechnologySecuritytechniquesKey managementPart3:Mechanismsusingasymmetrictechniques. ISO157821:2003_BankingCertificateManagement(PublicKeyCertificates) ISO28000:2007Specificationforsecuritymanagementsystemsforthesupplychain. ANSX9.421998,PublicKeyCryptographyforTheFinancialServiceIndustry. ANSX9.791:2001.Part1:PKIPracticesandPolicyFramework. PaymentCardIndustry:PINSecurityRequirementsVersion2.0January2008.VISA PINSecurityProgram:AuditorsGuideVersion2January2008.VISA CryptographicKeyInjectionFacility:AuditorsGuideVersion1.0January2008.VISA PaymentCardIndustryPINSecurityRequirementsMarch2008.MasterCard. PCIPINSecurityRequirementsVersion2.0January2008.VISA ANSIX9TR392009.TG3RetailFinancialServicesComplianceGuidelinePart1:PIN SecurityandKeyManagement. CobIT4.1(ControlObjectivesforInformationandrelatedTechnology).ISACA
Page34
15
15.1
Appendix1SPVARequirementsUpdatedAfterPCIPTS v3.(April2010)
Introduction
ThePaymentCardIndustryPINTransactionSecurity(PTS)standardfollowsadefined36 monthlifecycle.TheexpirationofPCIPTSv2.1requirementsdateisdefinedbythePCISSC, April2011. ThePCIPTSVersion3.0introducessignificantchangesinhowPCIwillbeevaluatingPIN acceptanceonPOIterminals.ThePCIPTSVersion3.0documentisanevolutionofthe previousversionsandsupportsanumberofnewfeaturesintheevaluationofPOIdevices. ThePCIPTSVersion3.0document,likeversion2.1(January2009),isonlyconcernedwiththe devicemanagementforPINacceptancePOIdevicesuptothepointofinitialkeyloading. Subsequenttoreceiptofthedeviceattheinitialkeyloadingfacility,theacquiringfinancial institutionanditsagents(e.g.,merchantsandprocessors)areresponsibleforthedeviceand arecoveredbytheoperatingrulesoftheparticipatingPCIpaymentbrandsandthePCIPIN SecurityRequirements.
M2 M3
M4 M5 M6
No. Securitycompliancestatement
M7 M8 Eachdeviceshallhaveauniquevisibleidentifieraffixedtoit. Thevendormustmaintainamanualthatprovidesinstructionsfortheoperational managementofthePOI.Thisincludesinstructionsforrecordingtheentirelifecycle ofthePOIsecurityrelatedcomponentsandofthemannerinwhichthose componentsareintegratedintoasinglePOI,e.g.: Dataonproductionandpersonalization Physical/chronologicalwhereabouts Repairandmaintenance Removalfromoperation Lossortheft
15.3
15.4
15.4.1
SPVACertificationRequirements
SPVA_Post_Manufacturing_Sec_Req_2(Redefined) SPVARequirementsDefinition:Documentedproceduresexistandarefollowedtoensure thattransferofaccountabilityforthedevicefromthemanufacturertotheinitialkeyloading facilityiscompleted. Therearefourobjectivesundertheaccountabilityrequirement: Identification:TheprocessusedtorecognizeanindividualPD.Eachdeviceshallhave auniquevisibleidentifieraffixedtoit. Authentication:TheprocessusedtovalidatetheclaimedidentityofthePD.
Page36
15.4.2 SPVA_Post_Manufacturing_Sec_Req_5(NewRequirement) SPVARequirementsDefinition(SameasPCIPTSv3):Thevendormustmaintainamanual thatprovidesinstructionsfortheoperationalmanagementofthePOI.Thisincludes instructionsforrecordingtheentirelifecycleofthePOIsecurityrelatedcomponentsandthe mannerinwhichthosecomponentsareintegratedintoasinglePOI,e.g.: Dataonproductionandpersonalization Physical/chronologicalwhereabouts Repairandmaintenance Removalfromoperation Lossortheft
Page37