PCI PIN Security v3.1

Approved Algorithms in connection with the requirements in this document are based on the approved algorithms listed in NIST SP 800-57 Part 1 Rev. 4, Section 4; 

<1>Except as noted, the use of SHA-1 is prohibited for all digital signatures used on the device that are used in connection with meeting PCI security requirements. This includes certificates used by the device that are non-device-specific that are part of a vendor PKI, up to and including a vendor root certificate. The only exception to this is that the initial code on ROM that initiates upon the device start may authenticate itself using SHA-1, but all subsequent code must be authenticated using SHA-2. 
SHA-2 or higher is recommended for other usages, but SHA-1 may be used in conjunction with the generation of HMAC values and surrogate PANs (with salt), for deriving keys using key derivation functions (i.e., KDFs) and random number generation. Where applicable, appropriate key length minimums as delineated in the Derived Test Requirements are also required. 
<2> IFC: Integer Factorization Cryptography; ECC: Elliptic Curve Cryptography; FFC: Finite Field Cryptography 

The following are the minimum key sizes<3> and parameters for the algorithm(s) in question that must be used in connection with key transport, exchange, or establishment and for data protection in connection with these requirements. Other key sizes and algorithms may be supported for non-PCI payment brand relevant transactions 
Key-encipherment keys shall be at least of equal or greater strength than any key that they are protecting.<4> This applies to any key-encipherment keys used for the protection of secret or private keys that are stored or for keys used to encrypt any secret or private keys for loading or transport. For purposes of this requirement, the following algorithms and keys sizes by row are considered equivalent. 
<3> Other key sizes and algorithms specified in this appendix may be supported for non-PCI payment brand relevant transactions. They are also not applicable to the EMV kernel; cryptographic requirements for EMV Contactless transactions are set by EMVCo and/or the Schemes. 
<4> Notwithstanding the statement, 2048 RSA keys may be used to transport 128 AES keys when performing remote key distrubution using asymmetric techniques. 

DEA refers to TDEA keys with non-parity bits. The RSA key size refers to the size of the modulus. The Elliptic Curve key size refers to the minimum order of the base point on the elliptic curve; this order should be slightly smaller than the field size. The DSA key sizes refer to the size of the modulus and the minimum size of a large subgroup. 
TLS implementations must prevent the use of cipher suites that do not enforce the use of cryptographic ciphers, hash functions and key lengths as defined in the Technical FAQs. 
For implementations using FFC or ECC: 

IFC, FFC and ECC are vulnerable to attacks from large-scale quantum computers. In 2017, NIST initiated a process to solicit, evaluate, and standardize one or more quantum-resistant public-key cryptographic algorithms, planned to end with a selection of new algorithms by 2023-2025. 
Because of rapid progress in the field of quantum computing, it is advised to become informed/aware of this specific threat and its potential mitigations.