Соответствие требованиям

Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Наш канал

PCI PIN Security v3.1

Framework

Requirement 15

Для проведения оценки соответствия по документу войдите в систему.

Список требований

Control Objective 4: Key-loading to HSMs and POI PIN-acceptance devices is handled in a secure manner
Requirement 15: The loading of keys or key components must incorporate a validation mechanism such that the authenticity of the keys is ensured, and it can be ascertained that they have not been tampered with, substituted, or compromised.
PIN Security Requirements:
15-1 A cryptographic-based validation mechanism must be in place to ensure the authenticity and integrity of keys and/or their components (for example, testing key check values, hashes, or other similar unique values that are based upon the keys or key components being loaded). See ISO 11568. Where check values are used, recorded, or displayed, key-component check values and key check values shall be generated by a cryptographic process such that all portions of the key or key component are involved in generating the check value. The check value shall be in accordance with the following note.
Note: Check values may be computed by two methods. TDEA may use either method. AES must only use the CMAC method. In the first method, check values are computed by encrypting an all binary zeros block using the key or component as the encryption key, using the leftmost n-bits of the result; where n is at most 24 bits (6 hexadecimal digits/3 bytes). In the second method the KCV is calculated by MACing an all binary zeros block using the CMAC algorithm as specified in ISO 9797-1 (see also NIST SP 800-38B). The check value will be the leftmost n-bits of the result, where n is at most 40 bits (10 hexadecimal digits). The block cipher used in the CMAC function is the same as the block cipher of the key itself. A TDEA key or a component of a TDEA key will be MACed using the TDEA block cipher, while a 128-bit AES key or component will be MACed using the AES-128 block cipher.
Testing Procedures:
15-1.a Examine documented procedures to verify a cryptographic-based validation mechanism is in place to ensure the authenticity and integrity of keys and/or components.
15-1.b Observe the key-loading processes to verify that the defined cryptographic-based validation mechanism used to ensure the authenticity and integrity of keys and components is being used and are verified by the applicable key custodians.
15-1.c Verify that the methods used for key validation are consistent with ISO 11568—for example, if check values are used, they are in accordance with this requirement.
PIN Security Requirements:
15-2 The public key must have its authenticity and integrity ensured. In order to ensure authenticity and integrity, a public key must be encrypted in accordance with Annex C, or if in plaintext form, must:
- Be within a certificate as defined in Annex A; or
- Be within a PKCS#10 (authentication and integrity occurs via other mechanisms); or
- Be within an SCD; or
- Have a MAC (message authentication code) created using the algorithm defined in ISO 16609.
Testing Procedures:
15-2.a Interview personnel and review documented procedures to verify that all public keys exist only in an approved form.
15-2.b Observe public-key stores and mechanisms to verify that public keys exist only in an approved form.

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.