PCI PIN Security v3.1

PIN Security Requirements:
13-9.1 PCs and similar devices must be: 

PIN Security Requirements:
13-9.2 All hardware used in key loading (including the PC) must be managed under dual control. Key-injection must not occur unless there are minimally two individuals in the key-injection room at all times during the process. If a situation arises that would cause only one person to be in the room, all individuals must exit until at least two can be inside.
Testing Procedures:
13-9.2 Verify through interviews and observation that: 

PIN Security Requirements:
13-9.3 PC access and use must be monitored, and logs of all key loading must be maintained. These logs must be retained for a minimum of three years. The logs must be regularly (no less frequently than weekly) reviewed by an authorized person who does not have access to the room or to the PC. The reviews must be documented. The logs must include but not be limited to: 

13-9.3.a Verify through interviews and observation that logs of key-loading activities are maintained and meet the following: 

13-9.3.b Verify through interviews and observation that logs of key-loading activities are maintained and meet the following: 

PIN Security Requirements:
13-9.4.1 Cable attachments and the key-loading device must be examined before each use to ensure the equipment is free from tampering.
Testing Procedures:
13-9.4.1 Cable attachments and the key-loading device are examined before each use to ensure the equipment is free from tampering. 

PIN Security Requirements:
13-9.4.2 The key-loading device must be started from a powered-off position every time key-loading activities occur.
Testing Procedures:
13-9.4.2 The key-loading device is started from a powered-off position every time key-loading activities occur. 

PIN Security Requirements:
13-9.4.3 The software application must load keys without recording any clear-text values on portable media or other unsecured devices.
Testing Procedures:
13-9.4.3 The software application loads keys without recording any clear-text values on portable media or other unsecured devices.

PIN Security Requirements:
13-9.4.4 Clear-text keys must not be stored except within an SCD.
Testing Procedures:
13-9.4.4 Clear-text keys are not stored except within an SCD. 

PIN Security Requirements:
13-9.4.5 The personnel responsible for the systems administration of the PC (e.g., a Windows administrator who configures the PC’s user IDs and file settings, etc.) must not have authorized access into the room—they must be escorted by authorized key-injection personnel—and they must not have user IDs or passwords/authentication codes to operate the key-injection application.
Testing Procedures:
13-9.4.5 Personnel responsible for the systems administration of the PC do not have authorized access into the room—i.e., they are escorted by authorized key-injection personnel—and do not have user IDs or passwords/authentication codes to operate the key-injection application. 

PIN Security Requirements:
13-9.4.6 The key-injection personnel must not have system-administration capability at either the O/S or the application level on the PC.
Testing Procedures:
13-9.4.6 Key-injection personnel do not have system-administration capability at either the O/S or the application level on the PC. 

PIN Security Requirements:
13-9.4.7 The PC must not be able to boot from external media (e.g., USB devices or CDs). It must boot from the hard drive only.
Testing Procedures:
13-9.4.7 The PC is not able to boot from external media (e.g., USB devices or CDs). It must boot from the hard drive only. 

PIN Security Requirements:
13-9.4.8 Key-injection facilities must cover all openings on the PC that are not used for key-injection with security seals that are tamper-evident and serialized. Examples include but are not limited to PCMCIA, network, infrared and modem connections on the PC, and access to the hard drive and memory. The seals must be recorded in a log, and the log must be maintained along with the other key-loading logs in a dualcontrol safe. Verification of the seals must be performed prior to key-loading activities.
Testing Procedures:
13-9.4.8 All openings on the PC that are not used for key-injection are covered with security seals that are tamper-evident and serialized. The seals are recorded in a log, and the log is maintained along with the other keyloading logs in a dual-control safe. Verification of the seals must be performed prior to key-loading activities. 

PIN Security Requirements:
13-9.4.9 If the PC application reads or stores clear-text key components, for example, BDKs or TMKs, from portable electronic media (e.g., smart cards), the media must be secured as components under dual control when not in use. The key components must be manually entered at the start of each key-injection session from components that are maintained under dual control and split knowledge.
Note: For DUKPT implementations, the BDK must be loaded from components each time and this requires manual tracking of the device ID counter and serial numbers from the previous key-loading session. Key-injection facilities with PC applications that require passwords/authentication codes to be used to initiate decryption of keys on portable electronic media (e.g., smart cards) must ensure the passwords/authentication codes are maintained under dual control and split knowledge.
Testing Procedures:
13-9.4.9 If the PC application reads or stores keys (e.g., BDKs or TMKs) from portable electronic media (e.g., smart cards), the media is secured as components under dual control when not in use. The key components are manually entered at the start of each key-injection session from components that are maintained under dual control and split knowledge. 

PIN Security Requirements:
13-9.4.10 Manufacturer’s default passwords/authentication codes for PC-based applications must be changed.
Testing Procedures:
13-9.4.10 Manufacturer’s default passwords/authentication codes for PC-based applications are changed.