PCI PIN Security v3.1

PIN Security Requirements:
29-1.1.1 Access to all POIs and other SCDs is documented, defined, logged, and controlled such that unauthorized individuals cannot access, modify, or substitute any device without detection.
The minimum log contents include date and time, object name/identifier, purpose, name of individual(s) involved, signature or electronic capture (e.g., badge) of individual involved and if applicable, tamper-evident package number(s) and serial number(s) of device(s) involved. Electronic logging⎯e.g., using bar codes⎯is acceptable for device tracking.
Testing Procedures:
29-1.1.1.a Examine access-control documentation and device configurations to verify that access to all POIs and key-injection/loading devices is defined and documented.
29-1.1.1.b For a sample of POIs and other SCDs, observe authorized personnel accessing devices and examine access logs to verify that access to all POIs and other SCDs is logged.
29-1.1.1.c Examine implemented access controls to verify that unauthorized individuals cannot access, modify, or substitute any POI or other SCD. 

PIN Security Requirements:
29-1.1.2 All personnel with access to POIs and other SCDs prior to deployment are documented in a formal list and authorized by management. A documented security policy must exist that requires the specification of personnel with authorized access to all secure cryptographic devices. This includes documentation of all personnel with access to POIs and other SCDs as authorized by management. The list of authorized personnel is reviewed at least annually.
Testing Procedures:
29-1.1.2.a Examine documented authorizations for personnel with access to devices to verify that prior to deployment: 

29-1.1.2.b For a sample of POIs and other SCDs, examine implemented access controls to verify that only personnel documented and authorized in an auditable manner have access to devices. 

PIN Security Requirements:
29-1.2 POIs and other SCDs must not use default keys or data (such as keys that are pre-installed for testing purposes) or passwords/authentication codes.
Testing Procedures:
29-1.2.a Examine vendor documentation or other information sources to identify default keys (such as keys that are pre-installed for testing purposes), passwords, or data.
29-1.2.b Observe implemented processes and interview personnel to verify that default keys or passwords are not used. 

PIN Security Requirements:
29-3 Implement physical protection of devices from the manufacturer’s facility up to the point of key-insertion and deployment, through one or more of the following: 

29-3.a Examine documented procedures to confirm that they require physical protection of devices from the manufacturer’s facility up to the point of key-insertion and deployment, through one or more of the defined methods.
29-3.b Interview responsible personnel to verify that one or more of the defined methods are in place to provide physical device protection for devices, from the manufacturer’s facility up to the point of key-insertion and deployment. 

PIN Security Requirements:
29-4.1 HSM serial numbers must be compared to the serial numbers documented by the sender (sent using a different communication channel from the device) to ensure device substitution has not occurred. A record of device serial-number verification must be maintained.
Note: Documents used for this process must be received via a different communication channel—i.e., the control document used must not have arrived with the equipment. An example of how serial numbers may be documented by the sender includes but is not limited to the manufacturer’s invoice or similar document.
Testing Procedures:
29-4.1.a Interview responsible personnel to verify that device serial numbers are compared to the serial number documented by the sender.
29-4.1.b For a sample of received devices, examine sender documentation sent via a different communication channel than the device’s shipment (for example, the manufacturer’s invoice or similar documentation) used to verify device serial numbers. Examine the record of serial-number validations to confirm the serial number for the received device was verified to match that documented by the sender. 

PIN Security Requirements:
29-4.2 The security policy enforced by the HSM must not allow unauthorized or unnecessary functions. HSM API functionality and commands that are not required to support specified functionality must be disabled before the equipment is commissioned. 

PIN Security Requirements:
29-4.3 When HSMs are connected to online systems, controls are in place to prevent the use of an HSM to perform privileged or sensitive functions that are not available during routine HSM operations.
Examples of sensitive functions include but are not limited to: loading of key components, outputting clear-text key components, and altering HSM configuration.
Testing Procedures:
29-4.3 Examine HSM configurations and observe processes to verify that HSMs are not enabled in a sensitive state when connected to online systems. 

PIN Security Requirements:
29-4.4.1 Running self-tests to ensure the correct operation of the device
Testing Procedures:
29-4.4.1 Examine records of device inspections and test resu lts to verify that self-tests are run on devices to ensure the correct operation of the device. 

PIN Security Requirements:
29-4.4.2 Installing (or re-installing) devices only after confirming that the device has not been tampered with or compromised
Testing Procedures:
29-4.4.2 Observe inspection processes and interview responsible personnel to verify that devices are installed, or reinstalled, only after confirming that the device has not been tampered with or compromised. 

PIN Security Requirements:
29-4.4.3 Physical and/or functional tests and visual inspection to confirm that physical and logical controls and anti-tamper mechanisms are not modified or removed
Testing Procedures:
29-4.4.3 Observe inspection processes and interview responsible personnel to confirm processes include physical and/or functional tests and visual inspection to verify that physical and logical controls and anti-tamper mechanisms are not modified or removed 

PIN Security Requirements:
29-4.4.4 Maintaining records of the tests and inspections, and retaining records for at least one year
Testing Procedures:
29-4.4.4.a Examine records of inspections and interview responsible personnel to verify records of the tests and inspections are maintained.
29-4.4.4.b Examine records of inspections to verify records are retained for at least one year. 

PIN Security Requirements:
29-5 Maintain HSMs in tamper-evident packaging or in secure storage until ready for installation.
Testing Procedures:
29-5.a Examine documented procedures to verify they require devices be maintained in tamper-evident packaging until ready for installation.
29-5.b Observe a sample of received devices to verify they are maintained in tamper-evident packaging until ready for installation. 

PIN Security Requirements:
30-3 Processes must exist to ensure that key-injection operations are performed and reconciled on an inventory of pre-authorized devices. Processes must include the following: 

Note: The KIF platform must ensure that only authorized devices can ever be injected or initialized with authorized keys. Processes must prevent (1) substitution of an authorized device with an unauthorized device, and (2) insertion of an unauthorized device into a production run.
Testing Procedures:
30.3.a Obtain and examine documentation of inventory control and monitoring procedures. Determine that the procedures cover: 

30.3.b Interview applicable personnel to determine that procedures are known and followed. 

PIN Security Requirements:
31-1.1 HSMs require dual control (e.g., to invoke the system menu) to implement for all critical decommissioning processes.
Testing Procedures:
31-1.1.a Examine documented procedures for removing HSM from service to verify that dual control is implemented for all critical decommissioning processes.
31-1.1.b Interview personnel and observe demonstration (if HSM is available) of processes for removing HSM from service to verify that dual control is implemented for all critical decommissioning processes 

PIN Security Requirements:
31-1.2 Keys are rendered irrecoverable (for example, zeroized) for SCDs. If data cannot be rendered irrecoverable, devices must be physically destroyed under dual control to prevent the disclosure of any sensitive data or keys.
Testing Procedures:
31-1.2 Interview personnel and observe demonstration of processes for removing SCDs from service to verify that all keying material is rendered irrecoverable (for example, zeroized), or that devices are physically destroyed prior to leaving the dual-control area to prevent the disclosure of any sensitive data or keys. 

PIN Security Requirements:
31-1.3 SCDs being decommissioned are tested and inspected to ensure keys have been rendered irrecoverable.
Testing Procedures:
31-1.3 Interview personnel and observe processes for removing SCDs from service to verify that tests and inspections of devices are performed to confirm that keys have been rendered irrecoverable or the devices are physically destroyed. 

PIN Security Requirements:
31-1.4 Affected entities are notified before devices are returned.
Testing Procedures:
31-1.4 Interview responsible personnel and examine device-return records to verify that affected entities are notified before devices are returned. 

PIN Security Requirements:
31-1.5 Devices are tracked during the return process.
Testing Procedures:
31-1.5 Interview responsible personnel and examine device-return records to verify that devices are tracked during the return process. 

PIN Security Requirements:
31-1.6 Records of the tests and inspections maintained for at least one year.
Testing Procedures:
31-1.6 Interview personnel and observe records to verify that records of the tests and inspections are maintained for at least one year. 

PIN Security Requirements:
32-1.1 Devices must not be authorized for use except under the dual control of at least two authorized people.
Note: Dual control consists of logical and/or physical characteristics. For example, dual control may be implemented for logical access via two individuals with two different passwords/authentication codes at least five characters in length, or for physical access via a physical lock that requires two individuals, each with a different high-security key. For devices that do not support two or more passwords/authentication codes, this may be achieved by splitting the single password used by the device into two halves, each half controlled by a separate authorized custodian. Each half must be a minimum of five characters. Physical keys, authorization codes, passwords/authentication codes, or other enablers must be managed so that no one person can use both the enabler(s) and the device, which can create cryptograms of known keys or key components under a key-encipherment key used in production.
Testing Procedures:
32-1.1 Observe dual-control mechanisms and device-authorization processes to confirm that logical and/or physical characteristics are in place that prevent the device being authorized for use except under the dual control of at least two authorized people. 

PIN Security Requirements:
32-1.2 Passwords/authentication codes used for dual control must each be of at least five numeric and/or alphabetic characters.
Testing Procedures:
32-1.2 Observe password policies and configuration settings to confirm that passwords/authentication codes used for dual control must be at least five numeric and/or alphabetic characters. 

PIN Security Requirements:
32-1.3 Dual control must be implemented for the following: 

32-1.3 Examine dual-control mechanisms and observe authorized personnel performing the defined activities to confirm that dual control is implemented for the following: 

PIN Security Requirements:
32-1.4 Devices must not use default passwords/authentication codes.
Testing Procedures:
32-1.4.a Examine password policies and documented procedures to confirm default passwords/authentication codes must not be used for HSMs, KLDs, and other SCDs used to generate or load cryptographic keys.
32-1.4.b Observe device configurations and interview device administrators to verify that HSMs, KLDs, and other SCDs used to generate or load cryptographic keys do not use default passwords/authentication codes. 

PIN Security Requirements:
32-1.5 To detect any unauthorized use, devices are at all times within a secure room and either: 

Note: POI devices may be secured by storage in the dual-control access key injection room.
Testing Procedures:
32-1.5.a Examine documented procedures to confirm that the documented procedures require devices are within a secure room and either: 

32-1.5.b Interview responsible personnel and observe devices and processes to confirm that devices are either: 

PIN Security Requirements:
32-8.2 The KIF must implement mutually authenticated channels for communication between distributed KIF functions—for example, between a host used to generate keys and a host used to distribute keys.
Testing Procedures:
32-8.2 Examine documented procedures to confirm they specify the establishment of a channel for mutual authentication of the sending and receiving devices. 

PIN Security Requirements:
32-8.5 The KIF must implement a mutually authenticated channel for establishment of enciphered secret or private keys between POI devices and an HSM at the KIF.
Testing Procedures:
32-8.5 Examine documented procedures to confirm they specify the establishment of a mutually authenticated channel for establishment of enciphered secret or private keys between sending and receiving devices— e.g., POI devices and HSMs. 

PIN Security Requirements:
32-8.6 Mutual authentication of the sending and receiving devices must be performed. 

32-8.6 Interview responsible personnel and observe processes for establishment of enciphered secret or private keys between sending and receiving devices to verify: 

PIN Security Requirements:
32-8.7 Mechanisms must exist to prevent a non-authorized host from injecting keys into POIs or an unauthorized POI from establishing a key with a legitimate KIF component.
Testing Procedures:
32-8.7 Examine documented procedures to confirm they define mechanisms to prevent an unauthorized host from performing key transport, key exchange, or key establishment with POIs. 

PIN Security Requirements:
32-9.2 Any windows into the secure room must be locked and protected by alarmed sensors.
Testing Procedures:
32-9.2.a Observe all windows in the secure room to verify they are locked and protected by alarmed sensors.
32-9.2.b Examine configuration of window sensors to verify that the alarm mechanism is active. 

PIN Security Requirements:
32-9.3 Any windows must be covered, rendered opaque, or positioned to prevent unauthorized observation of the secure room.
Testing Procedures:
32-9.3 Observe all windows in the secure room to verify they are covered, rendered opaque, or positioned to prevent unauthorized observation of the secure room. 

PIN Security Requirements:
32-9.4 A solid-core door or a steel door must be installed to ensure that door hinges cannot be removed from outside the room.
Testing Procedures:
32-9.4 Inspect the secure room to verify that it is only accessed through a solid-core or a steel door, with door hinges that cannot be removed from outside the room. 

PIN Security Requirements:
32-9.5 An electronic access control system (for example, badge and/or biometrics) must be in place that enforces: 

32-9.5 Observe authorized personnel entering the secure room to verify that a badge-control system is in place that enforces the following requirements: 

PIN Security Requirements:
32-9.6 The badge-control system must support generation of an alarm when one person remains alone in the secure room for more than 30 seconds.
Note: Examples of alarm-generation mechanisms include but are not limited to motion detectors, login/logout controls, biometrics, badge sensors, etc.
Testing Procedures:
32-9.6 Examine alarm mechanisms and interview alarm-response personnel to verify that the badge-control system supports generation of an alarm when one person remains alone in the secure room for more than 30 seconds. 

PIN Security Requirements:
32-9.7 CCTV cameras must record all activity, including recording events during dark periods through the use of infrared CCTV cameras or automatic activation of floodlights in case of any detected activity. This recording may be motion-activated. The recording must continue for at least a minute after the last pixel of activity subsides.
Testing Procedures:
32-9.7 Inspect CCTV configuration and examine a sample of recordings to verify that CCTV monitoring is in place on a 24/7 basis, including the ability to record events during dark periods, and if motion activated verify that recording continues for at least a minute after the last pixel of activity subsides. 

PIN Security Requirements:
32-9.8 Monitoring must be supported on a continuous (24/7) basis such that alarms can be resolved by authorized personnel.
Testing Procedures:
32-9.8 Inspect configuration of monitoring systems and interview monitoring personnel to verify that monitoring is supported on a continuous (24/7) basis and alarms can be resolved by authorized personnel. 

PIN Security Requirements:
32-9.9 The CCTV server and digital storage must be secured in a separate secure location that is not accessible to personnel who have access to the key-injection secure room.
Testing Procedures:
32-9.9.a Inspect location of the CCTV server and digital-storage to verify they are located in a secure location that is separate from the key-injection secure room.
32-9.9.b Inspect access-control configurations for the CCTV server/storage secure location and the key-injection secure room to identify all personnel who have access to each area. Compare access lists to verify that personnel with access to the key-injection secure room do not have access to the CCTV server/storage secure location. 

PIN Security Requirements:
32-9.10 The CCTV cameras must be positioned to monitor: 

32-9.10 Inspect CCTV positioning and examine a sample of recordings to verify that CCTV cameras are positioned to monitor: 

PIN Security Requirements:
32-9.11 CCTV cameras must be positioned so they do not monitor any combination locks, PIN pads, or keyboards used to enter passwords/authentication codes or other authentication credentials.
Testing Procedures:
32-9.11 Inspect CCTV positioning and examine a sample of recordings to verify that CCTV cameras do not monitor any combination locks, PIN pads, or keyboards used to enter passwords/authentication codes or other authentication credentials. 

PIN Security Requirements:
32-9.12 Images recorded from the CCTV system must be securely archived for a period of no less than 45 days. If digital-recording mechanisms are used, they must have sufficient storage capacity and redundancy to prevent the loss of information necessary to reconstruct events for the most recent 45-day period.
Testing Procedures:
32-9.12.a Examine storage of captured recordings to verify that at least the most recent 45 days of images are securely archived.
32-9.12.b If digital-recording mechanisms are used, examine system configurations to verify that the systems have sufficient redundancy to prevent the loss of information necessary to reconstruct events for the most recent 45-day period. 

PIN Security Requirements:
33-1 Written procedures must exist, and all affected parties must be aware of those procedures. Records must be maintained of the tests and inspections performed by key-injection facilities on PIN-processing devices before they are placed into service, as well as devices being decommissioned.
Testing Procedures:
33-1.a Examine documented procedures/processes and interview responsible personnel to verify that all affected parties are aware of required processes and are provided suitable guidance on procedures for devices placed into service, initialized, deployed, used, and decommissioned,
33-1.b Verify that written records exist for the tests and inspections performed on PIN-processing devices before they are placed into service, as well as devices being decommissioned.