Куда я попал?
PCI PIN Security v3.1
Framework
В Control Objective 3
Для проведения оценки соответствия по документу войдите в систему.
Список требований
-
PIN Security Requirements:
8-4 Public keys must be conveyed in a manner that protects their integrity and authenticity. Examples of acceptable methods include:- Use of public-key certificates as defined in Annex A that are created by a trusted CA that meets the requirements of Annex A.
- Validating a hash of the public key sent by a separate channel (for example, mail)
- Using a MAC (message authentication code) created using the algorithm defined in ISO 16609
- Conveyance within an SCD
- Encrypted
Note: Self-signed certificates must not be used as the sole method of authentication.
Self-signed root certificates protect the integrity of the data within the certificate but do not guarantee the authenticity of the data. The authenticity of the root certificate is based on the use of secure procedures to distribute them. Specifically, they must be directly installed into the PIN pad of the ATM or POS device and not remotely loaded to the device subsequent to manufacture.
Testing Procedures:
8-4 For all methods used to convey public keys, perform the following:
8-4.a Examine documented procedures for conveying public keys to verify that methods are defined to convey public keys in a manner that protects their integrity and authenticity such as:- Use of public-key certificates created by a trusted CA that meets the requirements of Annex A
- Validation of a hash of the public key sent by a separate channel (for example, mail)
- Using a MAC (message authentication code) created using the algorithm defined in ISO 16609
- Conveyance within an SCD
- Encrypted
8-4.b Validate that procedures dictate that self-signed certificates must not be used as the sole method of authentication.
8-4.c Observe the process for conveying public keys, associated logs, and interview responsible personnel to verify that the implemented method ensures public keys are conveyed in a manner that protects their integrity and authenticity. -
PIN Security Requirements:
10-1 All key-encryption keys used to encrypt for transmittal or conveyance of other cryptographic keys must be at least as strong as the key being sent, as delineated in Annex C except as noted below for RSA keys used for key transport.- TDEA keys used for encrypting keys must be at least double-length keys (have bit strength of 80 bits) and use the TDEA in an encrypt, decrypt, encrypt mode of operation for key-encipherment.
- A double- or triple-length TDEA key must not be encrypted with a TDEA key of a lesser strength.
- TDEA keys shall not be used to protect AES keys.
- TDEA keys shall not be used to encrypt keys greater in strength than 112 bits.
- RSA keys used to transmit or convey other keys must have bit strength of at least 80 bits.
- RSA keys encrypting keys greater in strength than 80 bits shall have bit strength at least 112 bits.
Note: Entities using POI version1 and/or version 2 devices may use RSA key sizes of 1024 and/or SHA-1 if the devices do not support RSA key sizes of 2048 or SHA-2. However, in all cases, version 3 or higher devices must implement RSA using key sizes of 2048 or higher and SHA-2 when used for key distribution using asymmetric techniques in accordance with Annex A.
Testing Procedures:
10-1.a Examine documented procedures to verify there is a requirement that all keys used to transmit or convey other cryptographic keys must be at least as strong as any key transmitted or conveyed, except as noted for RSA keys.
10-1.b Using the network schematic and the summary listing of cryptographic keys and through interview of personnel, identify keys that protect other keys for transmission. Consider keys manually transferred (e.g., cryptograms sent to an ESO) as well as those that are system generated and transferred (e.g., KEK or TMK encrypting working keys)
10-1.c Observe key-generation processes for the key types identified above. Verify that all keys used to transmit or convey other cryptographic keys are at least as strong as any key transmitted or conveyed except as noted for RSA keys.- Interview appropriate personnel and examine documented procedures for the creation of these keys.
- Using the table in Annex C, validate the respective key sizes for TDEA, RSA, Elliptic Curve, DSA, and Diffie Hellman algorithms where used for key encryption.
- Verify that:
- TDEA keys used for encrypting keys must be at least double-length keys (have bit strength of 80 bits) and use the TDEA in an encrypt, decrypt, encrypt mode of operation for key-encipherment.
- A double- or triple-length TDEA key must not be encrypted with a TDEA key of lesser strength.
- TDEA keys are not used to protect AES keys.
- TDEA keys shall not be used to encrypt keys greater in strength than 112 bits.
- RSA keys used to transmit or convey other keys have bit strength of at least 80 bits.
- RSA keys encrypting keys greater in strength than 80 bits have bit strength at least 112 bits.
- Any POI device that is version 3 or higher is using RSA with a key size of at least 2048 and SHA-2, where applicable. Use as necessary the device information used in Requirement 1.
10-1.d Examine system documentation and configuration files to validate the above, including HSM settings.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.