Соответствие требованиям

Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Наш канал

PCI PIN Security v3.1

Framework

Requirement 3

Для проведения оценки соответствия по документу войдите в систему.

Список требований

Control Objective 1: PINs used in transactions governed by these requirements are processed using equipment and methodologies that ensure they are kept secure
Requirement 3: For online interchange transactions, PINs must be only encrypted using ISO 9564–1 PIN-block formats 0, 1, 3 or 4. Format 2 must be used for PINs that are submitted from the IC card reader to the IC card
PIN Security Requirements:
3-1 For secure transmission of the PIN from the point of PIN entry to the card issuer, the encrypted PIN-block format must comply with ISO 9564 format 0, ISO 9564 format 1, ISO 9564 format 3, or ISO 9564 format 4.
Testing Procedures:
3-1.a Interview responsible personnel to determine the PIN-block format(s) utilized for “not-on-us” traffic from point of acquisition through routing of the transaction to another entity. Examine and verify the accuracy of the network schematic.
3-1.b Examine system documentation to verify information provided during interviews. This is mandatory, especially if personnel have indicated the use of a compliant PIN-block format:
For internally developed systems, examine system design documentation, transaction logs, or source code for type of PIN-block format(s) used.
For application packages, examine parameter files where the PIN-block format is specified (e.g., the KEYF file for Base 24). Verify the format is ISO Formats 0, 1, 3, or 4 as the online PIN-block type for compliance.
PIN Security Requirements:
3-2 PINs enciphered only for transmission between the PIN entry device and the IC reader must use one of the PIN-block formats specified in ISO 9564. Where ISO format 2 is used, a unique-key-per-transaction method in accordance with ISO 11568 shall be used. Format 2 shall only be used in connection with either offline PIN verification or PIN change operations in connection with ICC environments.
Testing Procedures:
3-2.a Using the summary from Requirement 1, identify any non-PCI-approved devices and device types for which the ICC card reader is not integrated in the PIN entry device. For each of these device types, Interview applicable personnel to determine that PINs enciphered only for transmission between the PIN entry device and the ICCR use one of the PIN-block formats specified in ISO 9564. If format 2 is used, verify that a unique-key-pertransaction method in accordance with ISO 11568 is used.
Note: PCI-approved devices are validated to this; nevertheless, personnel must still be interviewed to validate the implementation.
3-2.b Examine device documentation to validate that the device functions as described above.
PIN Security Requirements:
3-3 Standard PIN-block formats (i.e., ISO formats 0, 1, 2, 3, and 4) shall not be translated into non-standard PIN-block formats.
PINs enciphered using ISO format 0, ISO format 3, or ISO format 4 must not be translated into any other PIN-block format other than ISO format 0, 3, or 4 except when translated to ISO format 2 as specified in the table below. PINs enciphered using ISO format 1 may be translated into ISO format 0, 3, or 4, but must not be translated back into ISO format 1. ISO format 1 may be translated into ISO format 2 as specified in the table below.
Translations between PIN-block formats that both include the PAN shall not support a change in the PAN. The PIN-translation capability between ISO formats 0, 3, or 4 (including translations from ISO format 0 to ISO format 0, from ISO format 3 to ISO format 3, or from ISO format 4 to ISO format 4) must not allow a change of PAN. The following illustrates translations from formats 0, 1, 3 and 4:
Note: This translation restriction is not applicable to surrogate PANs used in tokenization implementations.
Translation
from: ISO Format 0, 3, 4
to: ISO Format 0, 3, 4
Permitted anywhere without change of PAN
Change of PAN only permitted in sensitive state for card issuance
Change of PAN token to real PAN only permitted with cryptographic binding of PAN token to real PAN
from: ISO Format 1
to: ISO Format 0, 3, 4
Permitted
from: ISO Format 2
to: ISO Format 0, 3, 4
Not permitted
from: ISO Format 0, 3, 4
to: ISO Format 1
Not permitted
from: ISO Format 1
to: ISO Format 1
Permitted
from: ISO Format 2
to: ISO Format 1
Not permitted
from: ISO Format 0, 3, 4
to: ISO Format 2
Permitted for submission to an IC card
from: ISO Format 1
to: ISO Format 2
Permitted for submission to an IC card
from: ISO Format 2
to: ISO Format 2
Permitted for submission to an IC card
Testing Procedures:
3-3.a Verify the following, using information obtained in the prior steps of Requirement 3:
- ISO PIN-block formats are not translated into non-ISO formats.
- ISO PIN-block formats 0, 3, and 4 are not translated into any PIN-block formats other than 0, 3, or 4 except for submission to an IC payment card.
- If ISO format 1 is translated to ISO format 0, 3, or 4, it is not translated back to ISO format 1.
- If ISO format 1 is translated to ISO format 2, it is only for submission to an IC payment card.
- PIN-block translations from ISO format 0, 3, or 4 to any of ISO format 0, 3, or 4 do not support a change in PAN.
3-3.b Where translated to format 2, verify that the PIN block is only submitted to the IC card.
Note: For offline PIN this is verified for PCI-approved POI devices:
a) The PIN that is submitted by the ICC reader to the IC shall be contained in a PIN block conforming to ISO format 2 PIN block. This applies whether the PIN is submitted in plaintext or enciphered using an encipherment key of the IC.
b) Where the ICC reader is not integrated into the PIN entry device and PINs are enciphered only for transmission between the PIN entry device and the ICC reader, the device shall use one of the PIN-block formats specified in ISO 9564-1. Where ISO format 2 PIN blocks are used, a unique-key-per-transaction method in accordance with ISO 11568 shall be used.

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.