PCI PIN Security v3.1

PIN Security Requirements:
12-1 The loading of secret or private keys, when loaded from the individual key components, must be managed using the principles of dual control and split knowledge. Note: Manual key loading may involve the use of media such as paper, smart cards, or other physical tokens.
Testing Procedures:
12-1.a Using the summary of cryptographic keys, identify keys that are loaded from components and examine documented process to load each key type (MFK, TMK, PEK, etc.) from components to ensure dual control and split knowledge are required.
12-1.b Interview appropriate personnel to determine the number of key components for each manually loaded key.
12-1.c Witness a structured walk-through/demonstration of various key-loading processes for all key types (MFKs, TMKs, PEKs. etc.). Verify the number and length of the key components against information provided through verbal discussion and written documentation.
12-1.d Verify that the process includes the entry of individual key components by the designated key custodians.
12-1.e Ensure key-loading devices can only be accessed and used under dual control 

PIN Security Requirements:
12-2 Procedures must be established that will prohibit any one person from having access to components sufficient to form an encryption key when components are removed from and returned to storage for key loading.
Testing Procedures:
12-2 Examine logs of access to security containers for key components/shares to verify that only the authorized custodian(s) have accessed. Compare the number on the current tamper-evident and authenticable package for each component to the last log entry for that component. 
Trace historical movement of higher-order keys (MFK, KEK, and BDK) in and out of secure storage to ensure there is no break in the package-number chain that would call into question authorized handling and sufficient storage of the component or share. This must address at a minimum the time frame from the date of the prior audit. 

PIN Security Requirements:
12-3 The loading of clear-text cryptographic keys using a key-loading device requires dual control to authorize any key-loading session. It shall not be possible for a single person to use the key-loading device to load clear keys alone. 
Dual control must be implemented using one or more of, but not limited to, the following techniques: 

Note: For devices that do not support two or more passwords/authentication codes, this may be achieved by splitting the single password used by the device into two halves, each half controlled by a separate authorized custodian. Each half must be a minimum of five characters. Note: Passwords/authentication codes to the same object may be assigned to a custodian group team⎯e.g., custodian team for component A. Note: The addition of applications that replace or disable the PCI-evaluated firmware functionality invalidates the device approval for each such implementation unless those applications are validated for compliance to PTS POI Security Requirements and listed as such in the approval listings.
Testing Procedures:
12-3.a Identify instances where a key-loading device is used to load clear-text keys. Examine documented procedures for loading of clear-text cryptographic keys, including public keys, to verify: 

12-3.b For each type of production SCDs loaded with a key-loading device, observe the processes (e.g., a demonstration) of loading clear-text cryptographic keys and interview personnel. Verify that: 

12-3.c Examine documented records of key-loading to verify the presence of two authorized persons during each type of key-loading activity.
12-3.d Ensure that any default dual-control mechanisms (e.g., default passwords/authentication codes—usually printed in the vendor's manual—in a key-loading device) have been disabled or changed. 

PIN Security Requirements:
12-4 Key components for symmetric keys must be combined using a process such that no active bit of the key can be determined without knowledge of the remaining components. (For example, via XOR‘ing of full-length components.)
Note: Concatenation of key components together to form the key is unacceptable; e.g., concatenating two 8-hexadecimal character halves to form a 16-hexadecimal secret key.
The resulting key must only exist within the SCD.
Testing Procedures:
12-4.a Examine documented procedures for combining symmetric key components and observe processes to verify that key components are combined using a process such that no active bit of the key can be determined without knowledge of the remaining components⎯e.g. only within an SCD.
12-4.b Confirm key-component lengths through interview and examination of blank component forms and documented procedures. Examine device configuration settings and interview personnel to verify that key components used to create a key are the same length as the resultant key. 

PIN Security Requirements:
12-5 Hardware security module (HSM) Master File Keys, including those generated internal to the HSM and never exported, must be at least doublelength keys and use the TDEA (including parity bits) or AES using a key size of at least 128 bits.
Testing Procedures:
12-5 Examine vendor documentation describing options for how the HSM MFK is created and verify the current MFK was created using AES or double- or triplelength TDEA. Corroborate this via observation of processes, with information gathered during the interview process, and procedural documentation provided by the entity under review. 

PIN Security Requirements:
12-6 Any other SCD loaded with the same key components must combine all entered key components using the identical process.
Testing Procedures:
12-6 Through examination of documented procedures, interviews, and observation, confirm that any devices that are loaded with the same key components use the same mathematical process to derive the final key, 

PIN Security Requirements:
12-7 The initial terminal master key (TMK) or initial DUKPT key must be loaded to the device using either asymmetric key-loading techniques or manual techniques—e.g., the device keypad, IC cards, key-loading device, etc. Subsequent loading of the terminal master key may use techniques described in this document such as: 

For AES DUKPT, using the option to derive a key-encryption key called the DUKPT Update Key, so that the host can send a device a new initial key encrypted under that key. Note this also requires that a new initial key ID is also sent.
Keys shall not be reloaded by any methodology in the event of a compromised device and must be withdrawn from use.
Testing Procedures:
12-7.a Examine documented procedures for the loading of TMKs and initial DUKPT keys to verify that they require asymmetric key-loading techniques or manual techniques for initial loading and allowed methods for replacement TMK or initial DUKPT key loading.
12-7.b Examine documented procedures to verify that keys are withdrawn from use if they were loaded to a device that has been compromised or went missing. 

PIN Security Requirements:
12-8 If key-establishment protocols using public-key cryptography are used to distribute secret keys, these must meet the requirements detailed in Annex A of this document. For example: 

PIN Security Requirements:
12-9 Key-injection facilities must implement dual control and split-knowledge controls for the loading of keys into devices (for example, POIs and other SCDs).
Note: Such controls may include but are not limited to: 

12-9.a Examine documented key-injection procedures to verify that the procedures define use of dual control and split knowledge controls for the loading of keys into devices. 

12-9.b Interview responsible personnel and observe key-loading processes and controls to verify that dual control and split-knowledge controls are in place for the loading of keys into devices.
12-9.c Examine records of key-loading processes and controls to verify that the loading of keys does not occur without dual control and split knowledge. 

PIN Security Requirements:
13-1 Clear-text secret and private keys and key components must be transferred into an SCD only when it can be ensured that: 

13-1 Observe key-loading environments, processes, and mechanisms (for example, terminals, PIN pads, key guns, etc.) used to transfer keys and key components. Perform the following: 

PIN Security Requirements:
13-2 Only SCDs shall be used in the loading of clear-text secret or private keys or their components outside of a secure key-loading facility, as delineated in the requirements in this Annex. For example, ATM controller (computer) keyboards or those attached to an HSM shall never be used for the loading of clear-text secret or private keys or their components.
Note: The addition of applications⎯e.g., component, share, or key-loading applications⎯that replace or disable the PCI evaluated firmware functionality invalidates the device approval for each such implementation unless those applications are validated for compliance to PTS POI Security Requirements and listed as such in the approval listings.
Testing Procedures:
13-2.a Examine documentation to verify that only SCDs are used in the loading of clear-text secret or private keys or their components, outside of a secure key-loading facility, as delineated in this Annex. For example, ATM keyboards or keyboards attached to an HSM shall never be used for the loading of clear-text secret or private keys or their components.
13-2.b Observe a demonstration of key loading to verify that only SCDs are used in the loading of clear-text secret or private keys or their components outside of a secure key-loading facility. 

PIN Security Requirements:
13-3 The loading of plaintext secret or private key components or shares from an electronic medium—e.g., smart card, thumb drive, fob or other devices used for data transport—directly into a cryptographic device (and verification of the correct receipt of the component, if applicable) results in either of the following: 

13-3.a Examine documented procedures for the loading of secret or private key components from an electronic medium to a cryptographic device. Verify that procedures define specific instructions to be followed as a result of key loading, including: 

13-3.b Observe key-loading processes to verify that the loading process results in one of the following: 

13-3.c Examine records/logs of erasures to confirm that: 

PIN Security Requirements:
13-4.1 The key-loading device must be a physically secure SCD, designed and implemented in such a way that any unauthorized disclosure of the key is prevented or detected.
Note: A PCI-approved KLD meets this requirement for a SCD.
Testing Procedures:
13-4.1 Verify the key-loading device is a physically secure SCD designed and implemented in such a way that any unauthorized disclosure of the key is prevented or detected. 

PIN Security Requirements:
13-4.2 The key-loading device must be under the supervision of a person authorized by management or stored in a secure container such that no unauthorized person can have access to it.
Testing Procedures:
13-4.2 Verify the key-loading device is under the supervision of a person authorized by management or stored in a secure container such that no unauthorized person can have access to it. 

PIN Security Requirements:
13-4.3 The key-loading device must be designed or controlled so that only authorized personnel under dual control can use and enable it to output a key into another SCD. Such personnel must ensure that a key-recording device is not inserted between the SCDs.
Testing Procedures:
13-4.3.a Verify the key-loading device is designed or controlled so that only authorized personnel under dual control can use and enable it to output a key into another SCD.
13-4.3.b Verify that both authorized personnel involved in key-loading activity inspect the key-loading device prior to use to ensure that a key-recording device has not been inserted between the SCDs. 

PIN Security Requirements:
13-4.4 The key-loading device must not retain any information that might disclose the key⎯e.g., allow replay of the key for injection into a non-SCD⎯that was installed in the device or a key that it has successfully transferred.
Testing Procedures:
13-4.4 Verify the key-loading device does not retain any information that might disclose the key or a key that it has successfully transferred. For example, attempt to output the same value more than one time from the device or cause the device to display check values for its contents both before and after injection and compare. 

PIN Security Requirements:
13-5 Any media (electronic or otherwise) containing secret or private key components or shares used for loading cryptographic keys must be maintained in a secure storage location and accessible only to authorized custodian(s).
When removed from the secure storage location, media or devices containing key components or used for the injection of clear-text cryptographic keys must be in the physical possession of only the designated component holder(s), and only for the minimum practical time necessary to complete the key-loading process.
The media upon which a component resides must be physically safeguarded at all times when removed from secure storage.
Key components that can be read/displayed (for example, those printed on paper or stored on magnetic cards, PROMs, or smartcards) must be managed so they are never used in a manner that would result in the component being displayed in clear text to anyone who is not a designated custodian for that component.
Testing Procedures:
13-5.a Interview personnel and observe media locations to verify that the media is maintained in a secure storage location accessible only to custodian(s) authorized to access the key components.
13-5.b Examine documented procedures for removing media or devices containing key components—or that are otherwise used for the injection of cryptographic keys—from the secure storage location. Verify procedures include the following: 

13-5.c Interview designated component holder(s) and examine key-management logs to verify that media or devices removed from secure storage are in the physical possession of only the designated component holder.
13-5.d Interview key-injection personnel and examine logs for the removal of media/devices from secure storage to verify they are removed only for the minimum practical time necessary to complete the key-loading process. 

PIN Security Requirements:
13-6 If the component is in human-readable form (e.g., printed within a PIN-mailer type document), it must be visible only to the designated component custodian and only for the duration of time required for this person to privately enter the key component into an SCD.
Testing Procedures:
13-6 Validate through interview and observation that printed key components are not opened until just prior to entry into the SCD. Plaintext secret and/or private keys and/or their components are visible only to key custodians for the duration of loading into an SCD. 

PIN Security Requirements:
13-7 Written or printed key-component documents must not be opened until immediately prior to use.
Testing Procedures:
13-7.a Examine documented procedures and confirm that printed/written key-component documents are not opened until immediately prior to use.
13-7.b Observe key-loading processes and verify that printed/written key components are not opened until immediately prior to use. 

PIN Security Requirements:
13-8 A person with access to any component or share of a secret or private key, or to the media conveying this value, must not have access to other components or shares of this key or to any other medium containing other components or shares of this key that are sufficient to form the necessary threshold to derive the key.
E.g., in an m-of-n scheme (which must use a recognized secret-sharing scheme such as Shamir), such that any three key components or shares (i.e., m = 3) can be used to derive the key, no single individual can have access to more than two components/shares.
Testing Procedures:
13-8.a Examine documented procedures for the use of key components to verify that procedures ensure that any individual custodian only has access to their assigned components and never has access to sufficient key components to reconstruct a cryptographic key.
13-8.b Examine key-component access controls and access logs to verify that any single authorized custodians can and has only had access to their assigned component(s) and cannot access sufficient key components to reconstruct a cryptographic key. 

PIN Security Requirements:
13-9.1 PCs and similar devices must be: 

PIN Security Requirements:
13-9.2 All hardware used in key loading (including the PC) must be managed under dual control. Key-injection must not occur unless there are minimally two individuals in the key-injection room at all times during the process. If a situation arises that would cause only one person to be in the room, all individuals must exit until at least two can be inside.
Testing Procedures:
13-9.2 Verify through interviews and observation that: 

PIN Security Requirements:
13-9.3 PC access and use must be monitored, and logs of all key loading must be maintained. These logs must be retained for a minimum of three years. The logs must be regularly (no less frequently than weekly) reviewed by an authorized person who does not have access to the room or to the PC. The reviews must be documented. The logs must include but not be limited to: 

13-9.3.a Verify through interviews and observation that logs of key-loading activities are maintained and meet the following: 

13-9.3.b Verify through interviews and observation that logs of key-loading activities are maintained and meet the following: 

PIN Security Requirements:
13-9.4.1 Cable attachments and the key-loading device must be examined before each use to ensure the equipment is free from tampering.
Testing Procedures:
13-9.4.1 Cable attachments and the key-loading device are examined before each use to ensure the equipment is free from tampering. 

PIN Security Requirements:
13-9.4.2 The key-loading device must be started from a powered-off position every time key-loading activities occur.
Testing Procedures:
13-9.4.2 The key-loading device is started from a powered-off position every time key-loading activities occur. 

PIN Security Requirements:
13-9.4.3 The software application must load keys without recording any clear-text values on portable media or other unsecured devices.
Testing Procedures:
13-9.4.3 The software application loads keys without recording any clear-text values on portable media or other unsecured devices.

PIN Security Requirements:
13-9.4.4 Clear-text keys must not be stored except within an SCD.
Testing Procedures:
13-9.4.4 Clear-text keys are not stored except within an SCD. 

PIN Security Requirements:
13-9.4.5 The personnel responsible for the systems administration of the PC (e.g., a Windows administrator who configures the PC’s user IDs and file settings, etc.) must not have authorized access into the room—they must be escorted by authorized key-injection personnel—and they must not have user IDs or passwords/authentication codes to operate the key-injection application.
Testing Procedures:
13-9.4.5 Personnel responsible for the systems administration of the PC do not have authorized access into the room—i.e., they are escorted by authorized key-injection personnel—and do not have user IDs or passwords/authentication codes to operate the key-injection application. 

PIN Security Requirements:
13-9.4.6 The key-injection personnel must not have system-administration capability at either the O/S or the application level on the PC.
Testing Procedures:
13-9.4.6 Key-injection personnel do not have system-administration capability at either the O/S or the application level on the PC. 

PIN Security Requirements:
13-9.4.7 The PC must not be able to boot from external media (e.g., USB devices or CDs). It must boot from the hard drive only.
Testing Procedures:
13-9.4.7 The PC is not able to boot from external media (e.g., USB devices or CDs). It must boot from the hard drive only. 

PIN Security Requirements:
13-9.4.8 Key-injection facilities must cover all openings on the PC that are not used for key-injection with security seals that are tamper-evident and serialized. Examples include but are not limited to PCMCIA, network, infrared and modem connections on the PC, and access to the hard drive and memory. The seals must be recorded in a log, and the log must be maintained along with the other key-loading logs in a dualcontrol safe. Verification of the seals must be performed prior to key-loading activities.
Testing Procedures:
13-9.4.8 All openings on the PC that are not used for key-injection are covered with security seals that are tamper-evident and serialized. The seals are recorded in a log, and the log is maintained along with the other keyloading logs in a dual-control safe. Verification of the seals must be performed prior to key-loading activities. 

PIN Security Requirements:
13-9.4.9 If the PC application reads or stores clear-text key components, for example, BDKs or TMKs, from portable electronic media (e.g., smart cards), the media must be secured as components under dual control when not in use. The key components must be manually entered at the start of each key-injection session from components that are maintained under dual control and split knowledge.
Note: For DUKPT implementations, the BDK must be loaded from components each time and this requires manual tracking of the device ID counter and serial numbers from the previous key-loading session. Key-injection facilities with PC applications that require passwords/authentication codes to be used to initiate decryption of keys on portable electronic media (e.g., smart cards) must ensure the passwords/authentication codes are maintained under dual control and split knowledge.
Testing Procedures:
13-9.4.9 If the PC application reads or stores keys (e.g., BDKs or TMKs) from portable electronic media (e.g., smart cards), the media is secured as components under dual control when not in use. The key components are manually entered at the start of each key-injection session from components that are maintained under dual control and split knowledge. 

PIN Security Requirements:
13-9.4.10 Manufacturer’s default passwords/authentication codes for PC-based applications must be changed.
Testing Procedures:
13-9.4.10 Manufacturer’s default passwords/authentication codes for PC-based applications are changed. 

PIN Security Requirements:
14-1 Any hardware and passwords/authentication codes used in the key-loading function must be controlled and maintained in a secure environment under dual control. Resources (e.g., passwords/authentication codes and associated hardware) must be managed such that no single individual has the capability to enable key loading. This is not to imply that individual access authentication mechanisms must be managed under dual control.
Testing Procedures:
14-1.a Examine documented procedures to verify they require the following: 

14-1.b Observe key-loading environments and controls to verify the following: 

PIN Security Requirements:
14-2 All cable attachments over which clear-text keying material traverses must be examined at the beginning of an entity's key-activity operations (system power on/authorization) to ensure they have not been tampered with or compromised.
Testing Procedures:
14-2.a Examine documented procedures to ensure they require that cable attachments are examined at the beginning of an entity's key-activity operations (system power on/authorization).
14-2.b Observe key-loading processes to verify that all cable attachments are properly examined at the beginning of an entity's key-activity operations (system power on/authorization). 

PIN Security Requirements:
14-3 Key-loading equipment usage must be monitored, and a log of all key-loading activities maintained for audit purposes containing at a minimum date, time, personnel involved, and number of devices keys are loaded to.
Testing Procedures:
14-3.a Observe key-loading activities to verify that key-loading equipment usage is monitored.
14-3.b Verify logs of all key-loading activities are maintained and contain all required information. 

PIN Security Requirements:
14-4 Any physical tokens (e.g., brass keys or chip cards) used to enable key-loading must not be in the control or possession of any one individual who could use those tokens to load secret or private cryptographic keys under single control. These tokens must be secured in a manner similar to key components including tamper-evident authenticable packaging and the use of access-control logs for when removed or placed into secure storage.
Testing Procedures:
14-4.a Examine documented procedures for the use of physical tokens (e.g., brass keys or chip cards) to enable key loading. Verify procedures require that physical tokens must not be in the control or possession of any one individual who could use those tokens to load secret or private cryptographic keys under single control.
14-4.b Inspect locations and controls for physical tokens to verify that tokens used to enable key loading are not in the control or possession of any one individual who could use those tokens to load secret or private cryptographic keys under single control.
14-4.c Examine storage locations for physical tokens to determine adequacy to ensure that only the authorized custodian(s) can access their specific tokens.
14-4.d Verify that access-control logs exist and are in use, including notation of tamper-evident authenticable bag numbers.
14-4.e Reconcile storage contents to access-control logs. 

PIN Security Requirements:
14-5 Default passwords/authentication codes used to enforce dual control must be changed, and documented procedures must exist to require that these password/PINs be changed when assigned personnel change.
Testing Procedures:
14-5.a Verify that documented procedures require default passwords/authentication codes used to enforce dual control are changed.
14-5.b Verify that documented procedures exist to require that these passwords/authentication codes be changed when assigned personnel change 

PIN Security Requirements:
15-1 A cryptographic-based validation mechanism must be in place to ensure the authenticity and integrity of keys and/or their components (for example, testing key check values, hashes, or other similar unique values that are based upon the keys or key components being loaded). See ISO 11568.
Where check values are used, recorded, or displayed, key-component check values and key check values shall be generated by a cryptographic process such that all portions of the key or key component are involved in generating the check value. The check value shall be in accordance with the following note.
Note:. Check values may be computed by two methods. TDEA may use either method. AES must only use the CMAC method. In the first method, check values are computed by encrypting an all binary zeros block using the key or component as the encryption key, using the leftmost n-bits of the result; where n is at most 24 bits (6 hexadecimal digits/3 bytes). In the second method the KCV is calculated by MACing an all binary zeros block using the CMAC algorithm as specified in ISO 9797-1 (see also NIST SP 800-38B). The check value will be the leftmost n-bits of the result, where n is at most 40 bits (10 hexadecimal digits). The block cipher used in the CMAC function is the same as the block cipher of the key itself. A TDEA key or a component of a TDEA key will be MACed using the TDEA block cipher, while a 128-bit AES key or component will be MACed using the AES-128 block cipher.
Testing Procedures:
15-1.a Examine documented procedures to verify a cryptographic-based validation mechanism is in place to ensure the authenticity and integrity of keys and/or components.
15-1.b Observe the key-loading processes to verify that the defined cryptographic-based validation mechanism used to ensure the authenticity and integrity of keys and components is being used and are verified by the applicable key custodians.
15-1.c Verify that the methods used for key validation are consistent with ISO 11568—for example, if check values are used, they are in accordance with this requirement. 

PIN Security Requirements:
15-2 The public key must have its authenticity and integrity ensured. In order to ensure authenticity and integrity, a public key must be encrypted, or if in plaintext form, must: 

PIN Security Requirements:
16-1 Documented key-loading procedures must exist for all devices (e.g., HSMs and POIs), and all parties involved in cryptographic key loading must be aware of those procedures.
Testing Procedures:
16-1.a Verify documented procedures exist for all key-loading operations.
16-1.b Interview responsible personnel to verify that the documented procedures are known and understood by all affected parties for all key-loading operations.
16-1.c Observe key-loading process for keys loaded as components and verify that the documented procedures are demonstrably in use. This may be done as necessary on test equipment—e.g., for HSMs. 

PIN Security Requirements:
16-2 All key-loading events must be documented. Audit trails must be in place for all key-loading events.
Testing Procedures:
16-2 Examine log files and observe logging processes to verify that audit trails are in place for all key-loading events.