PCI PIN Entry Device Security Requirements PCI PIN Security Standards

1
PCI PIN Entry Device Security RequirementsPCI
PIN Security Standards
2
Topics

• Payment Card Industry Pin Entry Device (PCI PED)
  Security Requirements
• Overview
• Testing process
• Programme Requirements
• Mandates
• Common Issues
• Payment Card Industry PIN Security Standards
• Overview
• Programme Requirements
• Common Issues
• Related Mandates

3
PCI PED Security Requirements Overview

• Formally known as the Visa PED Standards
• Standards aligned with other payment schemes
• PCI Pin Entry Device Security Requirements
  published in Oct 2004
• Requirements primarily related to
• Attended POS Devices (On-line, offline or both)
• Encrypting PIN Peds (POS, ATMs, Fuel dispensers,
  kiosk,etc)
• Eventually to contain full requirements for ATM
  and other unattended devices
• Version 2 published in April 2007.

4
PCI PED Security Requirements Overview

• The Security Requirements are divided into two
  categories
• Device characteristics
• Physical
• Logical
• Device management
• During manufacturing
• Between manufacturing and initial key loading

5
PCI PED Testing Process

• Vendor to complete the relevant documentation and
  contact PED test lab of choice
• PED lab agrees a testing date and timeframe
• PED lab to perform evaluation and generate an
  evaluation report
• PCI participant to review report and grant
  approval
• List of Visa approved devices www.visa.com/PIN

6
PCI PED Mandates

• Effective Now1 January 2004 - All newly deployed
  attended POS PIN acceptance devices (including
  replacement devices) must have passed testing by
  a PCI recognized laboratory and be approved by
  Visa for new deployments.Effective Now1
  October 2005 - All newly deployed EPPs, including
  replacements or those in newly deployed ATMs,
  must have passed testing by a PCI-recognized
  laboratory and have been approved by Visa.1
  October 2007All newly deployed unattended POS
  PIN acceptance devices must contain an EPP that
  has passed testing by a PCI recognized laboratory
  and is approved by Visa for new deployments.
  Additionally, if the device is used for offline
  PIN acceptance, it must contain a laboratory
  validated and Visa-approved secure smart card
  reader.1 July 2010All attended POS PIN
  acceptance devices must pass testing by a PCI
  recognized laboratory and have been approved by
  Visa.

7
PCI PED Common Issues

• Device not PED compliant
• Older model of device deployed prior to PCI PED
  requirement
• PCI PED compliance not taken into account when
  new services are tested and rolled out.

8
PCI PIN Security Standards Overview

• Visa PIN Security Requirements were first
  published in Mid 1990s
• 2004 Visa aligned standard with other payment
  schemes and published Payment Card Industry Pin
  Security Standards

9
PCI PIN Security Standards Overview

• Consist of seven Control Objectives
• Control Objective One
• PINs are processed using equipment and
  methodologies that ensure they are kept secure.
• Control Objective Two
• Cryptographic keys used for PIN
  encryption/decryption are created using processes
  that ensure that it is not possible to predict
  any key.
• Control Objective Three
• Keys are conveyed or transmitted in a secure
  manner.
• Control Objective Four
• Key loading to hosts and PIN entry devices is
  handled in a secure manner.

10
PCI PIN Security Standards Overview

• Control Objective Five
• Keys are used in a manner that prevents or
  detects their unauthorized usage.
• Control Objective Six
• Keys are administered in a secure manner.
• Control Objective Seven
• Equipment used to process PINs and keys is
  managed in a secure manner.

11
PCI PIN Security Standards Programme Requirements

• All acquiring Members and their agents processing
  PIN-based Visa transactions are required to
  undergo an on-site review every three years.
• On an annual basis all acquiring Members
  processing PIN-based Visa transactions will be
  required to complete a certificate to confirm
  their level of compliance.
• On-site review to be conducted by Visa Risk
  Limited
• Acquiring Members or their agents to generate and
  agree remediation plan with Visa CEMEA

12
PCI PIN Security Standards Common Issues

• Cryptographic keys shared between production and
  test environment
• Pin not protected using a secure PIN Block format
  
• Deploying unapproved Pin Entry Devices
• Cryptographic keys not created in a secure manner
• Cryptographic key not unique
• Cryptographic keys stored in an unsecured manner
  or format
• Lack of documented procedures
• Poor device management
• Lack of audit trail or logs for key utilisation

13
Other related Mandates

• Chip Reading PIN Entry DevicesEffective NowAll
  Chip-Reading devices (including Unattended
  Acceptance Terminals) placed in service that
  support enciphered Offline PIN must also
  support plaintext Offline PIN.Effective
  NowAll newly deployed Chip-Reading devices must
  be capable of accepting a PIN (have either a PIN
  pad or a port capable of supporting a PIN pad).
  The PIN functionality must either be active or be
  capable of being activated through a software
  update.

14
Other related Mandates

• Triple Data Encryption Standard (TDES)Global
  MandatesEffective NowAll newly deployed ATMs
  (including replacement devices) must support
  TDES.Effective NowAll newly deployed point of
  sale (POS) PIN acceptance devices (including
  replacement devices) must support TDES.1 July
  2010Cardholder PINs must be TDES encrypted from
  all Points-of-Transaction to the Issuer. However,
  each Visa Region's TDES dates will supersede the
  global TDES date whenever the Visa Region date
  precedes the global date.

15
Other related Mandates

• Visa (CEMEA) TDES MandateEffective NowAll PIN
  transactions must be TDES encrypted from point of
  acceptance to Visa.All PIN transactions between
  Visa and Issuer hosts must be TDES encrypted.
• A non-compliance grace period will be introduced
  until 1 July 2007, at which time all CEMEA
  Members must be fully compliant to the Regional
  TDES requirements.

16
Visa (CEMEA) TDES Mandate

• TDES Questionnaire in CEMEA Fraud Information
  Service Portal

17
Thank you