PIN Security Requirements:
18-3 Encrypted symmetric keys must be managed in structures called key blocks. The key usage must be cryptographically bound to the key using accepted methods.
The phased implementation dates are as follows:
- Phase 1 – Implement Key Blocks for internal connections and key storage within Service Provider Environments – this would include all applications and databases connected to hardware security modules (HSM). Effective date: 1 June 2019.
- Phase 2 – Implement Key Blocks for external connections to Associations and Networks. Effective date: 1 January 2023.
- Phase 3 – Implement Key Block to extend to all merchant hosts, point-ofsale (POS) devices and ATMs. Effective date: 1 January 2025.
Acceptable methods of implementing the integrity requirements include, but are not limited to:
- A MAC computed over the concatenation of the clear-text attributes and the enciphered portion of the key block, which includes the key itself, e.g., TR-31
- A digital signature computed over that same data, e.g., TR-34
- An integrity check that is an implicit part of the key-encryption process such as that which is used in the AES key-wrap process specified in ANSI X9.102.
Testing Procedures:
18-3 Using the cryptographic-key summary to identify secret keys conveyed or stored, examine documented procedures and observe key operations to verify that secret cryptographic keys are managed as key blocks using mechanisms that cryptographically bind the key usage to the key at all times via one of acceptable methods or an equivalent. Where key blocks are not implemented, identify and examine project plans to implement in accordance with the prescribed timeline.
