Approved Algorithms in connection with the requirements in this document are based on the approved algorithms listed in NIST SP 800-57 Part 1 Rev. 4, Section 4;
- Hash functions: only algorithms from the SHA2 and SHA3 family are allowed on POI v3 and higher devices, with output size >255<1>
- Symmetric-Key Algorithms used for encryption and decryption: AES must be used, with key size >= 128 bits or TDEA with keys size >= 112 bits
- Message Authentication Codes (MACs): CMAC or GMAC can be used with AES, as well as HMAC with an approved hash function and a key size >=128
- Signature algorithms: DSA, RSA (with PKCS1-v1.5 or PSS) and ECDSA with key sizes specified below.
- Approved key establishment schemes are described in NIST SP800-56A (ECC/FCC<2>-based key agreement), NIST SP800-56B (IFCbased key agreement) and NIST SP800-38F (AES-based key encryption/wrapping).
<1>Except as noted, the use of SHA-1 is prohibited for all digital signatures used on the device that are used in connection with meeting PCI security requirements. This includes certificates used by the device that are non-device-specific that are part of a vendor PKI, up to and including a vendor root certificate. The only exception to this is that the initial code on ROM that initiates upon the device start may authenticate itself using SHA-1, but all subsequent code must be authenticated using SHA-2.
SHA-2 or higher is recommended for other usages, but SHA-1 may be used in conjunction with the generation of HMAC values and surrogate PANs (with salt), for deriving keys using key derivation functions (i.e., KDFs) and random number generation. Where applicable, appropriate key length minimums as delineated in the Derived Test Requirements are also required.
<2> IFC: Integer Factorization Cryptography; ECC: Elliptic Curve Cryptography; FFC: Finite Field Cryptography
