Куда я попал?
PCI PIN Security v3.1
Framework
Control Objective 6
Для проведения оценки соответствия по документу войдите в систему.
Список требований
-
PIN Security Requirements:
21-1 Secret or private keys must only exist in one or more of the following forms:- At least two separate key shares (secret or private) or full-length components (secret)
- Encrypted with a key of equal or greater strength as delineated in Annex C
- Contained within a secure cryptographic device
Note: Key-injection facilities may have clear-text keying material outside of a SCD when used within a secure room in accordance with Requirement 32 in Annex B.
Testing Procedures:
21-1.a Examine documented procedures for key storage and usage to verify that secret or private keys only exist in one or more approved forms at all times when stored.
21-1.b Observe key stores to verify that secret or private keys only exist in one or more approved forms at all times when stored. -
PIN Security Requirements:
21-3 Key components/shares must be stored as follows:
Testing Procedures:
21-3 Examine documented procedures, interview responsible personnel, and inspect key-component/share storage locations to verify that key components/shares are stored as outlined in Requirements 21-3.1 through 21- 3.3 below. -
PIN Security Requirements:
24-2 The procedures for destroying key components or shares that are no longer used or have been replaced by a new key must be documented and sufficient to ensure that no part of the key or component can be recovered. For written components, this must be accomplished by use of a cross-cut shredder, pulping, or burning. Strip-shredding is not sufficient.
Note: Key destruction for keys installed in HSMs and POI devices is addressed in Requirement 31.
Testing Procedures:
24-2.a Examine documented procedures for destroying keys and confirm they are sufficient to ensure that no part of the key or component can be recovered.
24-2.b Observe key-destruction processes to verify that no part of the key or component can be recovered. -
PIN Security Requirements:
29-2 Implement a documented “chain of custody” to ensure that all devices are controlled from receipt to placement into service. The chain of custody must include records to identify responsible personnel for each interaction with the devices.
Note: Chain of custody includes procedures, as stated in Requirement 29- 1, that ensure that access to all POI devices and other SCDs is documented, defined, logged, and controlled such that unauthorized individuals cannot access, modify, or substitute any device without detection.
Testing Procedures:
29-2.a Examine documented processes to verify that the chain of custody is required for devices from receipt to placement into service.
29-2.b For a sample of devices, examine documented records and interview responsible personnel to verify the chain of custody is maintained from receipt to placement into service.
29-2.c Verify that the chain-of-custody records identify responsible personnel for each interaction with the device. -
PIN Security Requirements:
29-4.2 The security policy enforced by the HSM must not allow unauthorized or unnecessary functions. HSM API functionality and commands that are not required to support specified functionality must be disabled before the equipment is commissioned.
For example, for HSMs used in transaction processing operations:- PIN-block format translation functionality is in accordance with Requirement 3, or non-ISO PIN-block formats must not be supported without a defined documented and approved business need.
- HSMs used for acquiring functions shall not be configured to output clear-text PINs or support PIN-change functionality.
Documentation (e.g., a checklist or similar suitable to use as a log) of configuration settings must exist and be signed and dated by personnel responsible for the implementation. This documentation must include identifying information for the HSM, such as serial number and/or asset identifiers. This documentation must be retained and updated for each affected HSM any time changes to configuration settings would impact security.
Testing Procedures:
29-4.2.a Obtain and examine the defined security policy to be enforced by the HSM.
29-4.2.b Examine documentation of the HSM configuration settings from past commissioning events to determine that the functions and commands enabled are in accordance with the security policy.
29-4.2.c For a sample of HSMs, examine the configuration settings to determine that only authorized functions are enabled.
29-4.2.d Verify that PIN-change functionality, PIN-block format translation functionality, or non-ISO PIN-block formats are not supported without a defined documented and approved business need.
29-4.2.e Verify that functionality is not enabled to allow the outputting of clear-text PINs.
29-4.2.f Examine documentation to verify:- Configuration settings are defined, signed, and dated by personnel responsible for implementation.
- It includes identifying information for the HSM, such as serial number and/or asset identifier.
- The documentation is retained and updated anytime configuration settings impacting security occur for each affected HSM.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.