PCI PIN Security v3.1

PIN Security Requirements:
21-4 Private keys used to sign certificates, certificate status lists, messages, or for key protection must exist only in one or more of the following forms: 

Testing Procedures:
21-4.a Examine documented key-management procedures to verify that private keys used to sign certificates, certificate-status lists, messages, or for key protection must exist only in one or more of the approved forms at all times.
21-4.b Observe key-management operations and interview key custodians and key-management supervisory personnel to verify that private keys used to sign certificates, certificate-status lists, messages, or for key protection must exist only in one or more of the approved forms at all times. 

PIN Security Requirements:
22-3 Root CAs must provide for segmentation of risk to address key compromise. An example of this would be the implementation of subordinate CAs.
Testing Procedures:
22-3 Through the examination of documented procedures, interviews and observation confirm that Root CAs provide for segmentation of risk to address key compromise. 

PIN Security Requirements:
22-4.1 The CA must cease issuance of certificates if a compromise is known or suspected and perform a damage assessment, including a documented analysis of how and why the event occurred.
Testing Procedures:
22-4.1.a Examine documented procedures to verify that the following are required in the event a compromise is known or suspected: 

22-4.1.b Interview responsible personnel and observe process to verify that in the event a compromise is known or suspected: 

PIN Security Requirements:
22-4.2 In the event of a confirmed compromise, the CA must determine whether to revoke and reissue all signed certificates with a newly generated signing key.
Testing Procedures:
22-4.2.a Examine documented procedures to verify that in the event of a confirmed compromise, procedures are defined for the CA to determine whether to revoke and reissue all signed certificates with a newly generated signing key.
22-4.2.b Interview responsible personnel to verify procedures are followed for the CA to determine whether to revoke and reissue all signed certificates with a newly generated signing key. 

PIN Security Requirements:
22-4.3 Mechanisms (for example, time stamping) must exist to prevent the usage of fraudulent certificates, once identified.
Testing Procedures:
22-4.3.a Examine documented procedures to verify that mechanisms are defined to prevent the usage of fraudulent certificates.
22-4.3.b Interview responsible personnel and observe implemented mechanisms to verify the prevention of the use of fraudulent certificates 

PIN Security Requirements:
22-4.4 The compromised CA must notify any superior or subordinate CAs of the compromise. The compromise damage analysis must include a determination of whether subordinate CAs and KDHs must have their certificates reissued and distributed to them or be notified to apply for new certificates.
Testing Procedures:
22-4.4.a Examine documented procedures to verify that the following procedures are required in the event of a compromise: 

22-4.4.b Interview responsible personnel to verify that the following procedures are performed in the event a compromise: 

PIN Security Requirements:
22-5 Minimum cryptographic strength for the CA system shall be: 

The key-pair lifecycle shall result in expiration of KDH keys every five years, unless another mechanism exists to prevent the use of a compromised KDH private key.
Testing Procedures:
22-5.a Interview appropriate personnel and examine documented procedures for the creation of these keys.
22-5.b Verify that the following minimum key sizes exist for RSA keys or the equivalent for the algorithm used as defined in Annex C: 

22-5.c Verify that KDH keys expire every five years unless another mechanism exists to prevent the use of a compromised KDH private key. 

PIN Security Requirements:
25-2.1 All user access must be restricted to actions authorized for that role.
Note: Examples of how access can be restricted include the use of CA software and operating-system and procedural controls.
Testing Procedures:
25-2.1.a Examine documented procedures to confirm that access to material that can be used to construct secret and private keys must be restricted to actions authorized for that role.
25-2.1.b Observe user role assignments and access-control mechanisms to verify that access to material that can be used to construct secret and private keys is restricted to actions authorized for that role. 

PIN Security Requirements:
25-3.1 CA systems that issue certificates to other CAs and KDHs must be operated offline using a dedicated closed network (not a network segment). 

25-3.1 Examine network diagrams and observe network and system configurations to verify: 

PIN Security Requirements:
25-3.2 For CAs operated online—e.g., POI-signing CAs: CA or Registration Authority (RA) software updates must not be done over the network (local console access must be used for CA or RA software updates).
Testing Procedures:
25-3.2 Examine software update processes to verify that local console access is used for all CA or RA software updates. 

PIN Security Requirements:
25-3.3 For CAs operated online—e.g., POI-signing CAs: Non-console access must use multi-factor authentication. This also applies to the use of remote console access.
Testing Procedures:
25-3.3 Examine remote-access mechanisms and system configurations to verify that all non-console access, including remote access, requires multi-factor authentication. 

PIN Security Requirements:
25-3.4 For CAs operated online—e.g., POI-signing CAs: Non-console user access to the CA or RA system environments shall be protected by authenticated encrypted sessions. No other remote access is permitted to the CA or RA platform(s) for system or application administration.
Note: Access for monitoring only (no create, update, delete capability) of online systems may occur without restriction.
Testing Procedures:
25-3.4.a Examine non-console access mechanisms and system configurations to verify that all non-console user access is protected by authenticated encrypted sessions.
25-3.4.b Observe an authorized CA personnel attempt non-console access to the host platform using valid CA credentials without using an authenticated encrypted session to verify that non-console access is not permitted. 

PIN Security Requirements:
25-3.5 CA certificate (for POI/KDH authentication and validity status checking) signing keys must only be enabled under at least dual control.
Note: Certificate requests may be vetted (approved) using single user logical access to the RA application.
Testing Procedures:
25-3.5.a Examine the certificate security policy and certification practice statement to verify that CA certificate-signing keys must only be enabled under at least dual control.
25-3.5.b Observe certificate-signing processes to verify that signing keys are enabled only under at least dual control. 

PIN Security Requirements:
25-4 The CA shall require a separation of duties for critical CA functions to prevent one person from maliciously using a CA system without detection, the practice referred to as “dual control.” At a minimum, there shall be multi-person control for operational procedures such that no one person can gain control over the CA signing key(s).
Testing Procedures:
25-4.a Examine documented procedures to verify they include following: 

25-4.b Observe CA operations and interview responsible personnel to verify: 

PIN Security Requirements:
25-5.1 All vendor-default IDs must be changed, removed, or disabled unless necessary for a documented and specific business reason. Vendor default IDs that are required as owners of objects or processes or for installation of patches and upgrades must only be enabled when necessary and otherwise must be disabled from login.
Testing Procedures:
25-5.1.a Examine documented procedures to verify that: 

25-5.1.b Examine system configurations and interview responsible personnel to verify that: 

PIN Security Requirements:
25-5.2 Vendor defaults, including passwords and SNMP strings, that exist and are not addressed in the prior step must be changed, removed, or disabled before installing a system on the network.
Testing Procedures:
25-5.2.a Examine documented procedures to verify that vendor defaults, including passwords and SNMP strings, that exist and are not addressed in the prior step are changed, removed, or disabled before installing a system on the network.
25-5.2.b Examine system configurations and interview responsible personnel to verify that vendor defaults, including passwords and SNMP strings, that exist and are not addressed in the prior step are changed, removed, or disabled before installing a system on the network. 

PIN Security Requirements:
25-6.1 Audit logs must be archived for a minimum of two years.
Testing Procedures:
25-6.1 Examine audit trail files to verify that they are archived for a minimum of two years. 

PIN Security Requirements:
25-6.2 Records pertaining to certificate issuance and revocation must, at a minimum, be retained for the life of the associated certificate.
Testing Procedures:
25-6.2.a For a sample of certificate issuances, examine audit records to verify that the records are retained for at least the life of the associated certificate.
25-6.2.b For a sample of certificate revocations, examine audit records to verify that the records are retained for at least the life of the associated certificate 

PIN Security Requirements:
25-6.3 Logical events are divided into operating-system and CA application events. For both, the following must be recorded in the form of an audit record: 

25-6.3.a Examine audit trails to verify that logical events are divided into operating-system and CA application events.
25-6.3.b Examine a sample of operating-system logs to verify they contain the following information: 

25-6.3.c Examine a sample of application logs to verify they contain the following information: 

PIN Security Requirements:
25-7.1 Certificate-processing system components operated online must be protected by a firewall(s) from all unauthorized access, including casual browsing and deliberate attacks. Firewalls must minimally be configured to: 

Testing Procedures:
25-7.1.a Examine network and system configurations to verify that certificate-processing system components operated online are protected from unauthorized access by firewall(s).
25-7.1.b Examine firewall configurations for verify they are configured to: 

PIN Security Requirements:
25-7.2 Online certificate-processing systems must employ individually or in combination network and host-based intrusion detection systems (IDS) to detect inappropriate access. At a minimum, database servers and the application servers for RA and web, as well as the intervening segments, must be covered.
Testing Procedures:
25-7.2.a Observe network-based and/or host-based IDS configurations to verify that on-line certificate-processing systems are protected by IDS to detect inappropriate access.
25-7.2.b Verify that IDS coverage includes all database servers, RA application servers and web servers, as well as the intervening segments. 

PIN Security Requirements:
25-8.1 Initial, assigned passphrases are pre-expired (user must replace at first logon).
Testing Procedures:
25-8.1 Examine password procedures and observe security personnel to verify that first-time passwords for new users, and reset passwords for existing users, are set to a unique value for each user and are pre-expired. 

PIN Security Requirements:
25-8.2 Use of group, shared, or generic accounts and passwords, or other authentication methods is prohibited.
Testing Procedures:
25-8.2.a For a sample of system components, examine user ID lists to verify the following: 

25-8.2.b Examine authentication policies/procedures to verify that group and shared passwords or other authentication methods are explicitly prohibited.
25-8.2.c Interview system administrators to verify that group and shared passwords or other authentication methods are not distributed, even if requested. 

PIN Security Requirements:
25-8.3 If passwords are used, system-enforced expiration life must not exceed 90 days and a minimum life at least one day.
Testing Procedures:
25-8.3 For a sample of system components, obtain and inspect system configuration settings to verify that user password parameters are set to require users to change passwords at least every 90 days and have a minimum life of at least one day. 

PIN Security Requirements:
25-8.4 Passwords must have a minimum length of eight characters using a mix of alphabetic, numeric, and special characters or equivalent strength as defined in NIST SP 800-63B.
Testing Procedures:
25-8.4 For a sample of system components, obtain and inspect system configuration settings to verify that password parameters are set to require passwords to be at least eight characters long and contain numeric, alphabetic, and special characters or equivalent strength as defined in NIST SP 800-63B. 

PIN Security Requirements:
25-8.5 Limit repeated access attempts by locking out the user ID after not more than five attempts.
Testing Procedures:
25-8.5 For a sample of system components, obtain and inspect system configuration settings to verify that authentication parameters are set to require that a user’s account be locked out after not more than five invalid logon attempts. 

PIN Security Requirements:
25-8.6 Authentication parameters must require a system-enforced passphrase history, preventing the reuse of any passphrase used in the last 12 months.
Testing Procedures:
25-8.6 For a sample of system components, obtain and inspect system configuration settings to verify that authentication parameters are set to require a system-enforced passphrase history, preventing the reuse of any passphrase used in the last 12 months. 

PIN Security Requirements:
25-8.7 Passwords are not stored on any of the systems except in encrypted form or as part of a proprietary one-way transformation process, such as those used in UNIX systems.
Testing Procedures:
25-8.7 For a sample of system components, obtain and inspect system configuration settings to verify that passwords are not stored unless encrypted as part of a proprietary one-way hash. 

PIN Security Requirements:
25-8.8 The embedding of passwords in shell scripts, command files, communication scripts, etc. is strictly prohibited.
Testing Procedures:
25-8.8.a Examine policies and procedures and interview personnel to determine that the embedding of passwords in shell scripts, command files, communication scripts, etc. is strictly prohibited.
25-8.8.b Inspect a sample of shell scripts, command files, communication scripts, etc. to verify that passwords are not embedded in shell scripts, command files, or communication scripts. 

PIN Security Requirements:
25-8.9 Where log-on security tokens (for example, smart cards) are used, the security tokens must have an associated usage-authentication mechanism, such as a biometric or associated PIN/passphrase to enable their usage. The PIN/passphrase must be at least eight decimal digits in length, or equivalent.
Note: Log-on security tokens (for example, smart cards) and encryption devices are not subject to the pass-phrase management requirements for password expiry as stated above.
Testing Procedures:
25-8.9.a If log-on security tokens are used, observe devices in use to verify that the security tokens have an associated usage-authentication mechanism, such as a biometric or associated PIN/passphrase to enable their usage.
25-8.9.b Examine token-configuration settings to verify parameters are set to require that PINs/passwords be at least eight decimal digits in length, or equivalent. 

PIN Security Requirements:
25-9 Implement a method to synchronize all critical system clocks and times for all systems involved in key-management operations.
Testing Procedures:
25-9.a Examine documented procedures and system configuration standards to verify a method is defined to synchronize all critical system clocks and times for all systems involved in key-management operations.
25-9.b For a sample of critical systems, examine the time-related system parameters to verify that system clocks and times are synchronized for all systems involved in key-management operations.
25-9.c If a manual process is defined, verify that the documented procedures require that it occur at least quarterly.
25-9.d If a manual process is defined, examine system configurations and synchronization logs to verify that the process occurs at least quarterly. 

PIN Security Requirements:
28-2 CA operations must be dedicated to certificate issuance and management. All physical and logical CA system components must be separated from key-distribution systems.
Testing Procedures:
28-2.a Examine documented procedures to verify: 

28-2.b Observe CA system configurations and operations to verify they are dedicated to certificate issuance and management.
28-2.c Observe system and network configurations and physical access controls to verify that all physical and logical CA system components are separated from key-distribution systems. 

PIN Security Requirements:
28-3 Each CA operator must develop a certification practice statement (CPS). (See RFC 3647- Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework for an example of content.) 

Note: This may take the form of a declaration by the CA operator of the details of its trustworthy system and the practices it employs in its operations and in support of the issuance of certificates. A CPS may take the form of either a specific, single document or a collection of specific documents.
The CPS must be consistent with the requirements described within this document. The CA shall operate in accordance with its CPS.
Testing Procedures:
28-3.a Examine documented certification practice statement (CPS) to verify that the CPS is consistent with the requirements described within this document.
28-3.b Examine documented operating procedures to verify they are defined in accordance with the CPS.
28-3.c Interview personnel and observe CA processes to verify that CA operations are in accordance with its CPS. 

PIN Security Requirements:
28-4 Each CA operator must develop a certificate policy. (See RFC 3647- Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework for an example of content.)
Testing Procedures:
28-4 Examine documented certificate policy to verify that the CA has one in place. 

PIN Security Requirements:
28-5.1 For CA and KDH certificate-signing requests, including certificate or key-validity status changes—for example, revocation, suspension, replacement—verification must include validation that: 

28-5.1.a Examine documented procedures to verify that certificate-signing requests, including certificate or key-validity status changes, require validation that: 

28-5.1.b Observe certificate-signing requests, including certificate or key-validity status changes, to verify they include validation that: 

PIN Security Requirements:
28-5.2 RAs must retain documentation and audit trails relating to the identification of entities for all certificates issued and certificates whose status had changed for the life of the associated certificates.
Testing Procedures:
28-5.2 Examine documentation and audit trails to verify that the identification of entities is retained for the life of the associated certificates: