Соответствие требованиям

Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Наш канал

PCI PIN Security v3.1

Framework

В П.8-4

Для проведения оценки соответствия по документу войдите в систему.

Список требований

Normative Annex B – Key-Injection Facilities
Control Objective 3: Keys are conveyed or transmitted in a secure manner.
Requirement 8: Secret or private keys must be transferred by:
a) Physically forwarding the key as at least two separate key shares or full-length components (hard copy, smart card, SCD) using different communication channels, or
b) Transmitting the key in ciphertext form.
Public keys must be conveyed in a manner that protects their integrity and authenticity.
It is the responsibility of both the sending and receiving parties to ensure these keys are managed securely during transport.
Keys conveyed to a key-injection facility must be conveyed in compliance with these requirements. Such keys can include, but are not limited to:
Derived Unique Key Per Transaction (DUKPT) Base Derivation Keys (BDKs) used in the DUKPT key-management method;
Key-encryption keys used to encrypt the BDKs when the BDKs are conveyed between entities (e.g., from the BDK owner to a device manufacturer that is performing key-injection on their behalf, or from a merchant to a third party that is performing key-injection on their behalf);
Terminal master keys (TMKs) used in the master key/session key key-management method;
PIN-encryption keys used in the fixed-transaction key method;
Public keys used in remote key-establishment and distribution applications;
Private asymmetric keys for use in remote key-loading systems.
Keys conveyed from a key-injection facility (including facilities that are device manufacturers) must be conveyed in compliance with these requirements. Such keys can include, but are not limited to:
Digitally signed HSM-authentication public key(s) signed by a device manufacturer’s private key and subsequently loaded into the HSM for supporting certain key-establishment and distribution applications protocols (if applicable);
Device manufacturer’s authentication key loaded into the HSM for supporting certain key-establishment and distribution applications protocols (if applicable)
PIN Security Requirements:
8-4 Public keys must be conveyed in a manner that protects their integrity and authenticity. Examples of acceptable methods include:
- Use of public-key certificates as defined in Annex A that are created by a trusted CA that meets the requirements of Annex A.
- Validating a hash of the public key sent by a separate channel (for example, mail)
- Using a MAC (message authentication code) created using the algorithm defined in ISO 16609
- Conveyance within an SCD
- Encrypted
Note: Self-signed certificates must not be used as the sole method of authentication.
Self-signed root certificates protect the integrity of the data within the certificate but do not guarantee the authenticity of the data. The authenticity of the root certificate is based on the use of secure procedures to distribute them. Specifically, they must be directly installed into the PIN pad of the ATM or POS device and not remotely loaded to the device subsequent to manufacture.
Testing Procedures:
8-4 For all methods used to convey public keys, perform the following:
8-4.a Examine documented procedures for conveying public keys to verify that methods are defined to convey public keys in a manner that protects their integrity and authenticity such as:
- Use of public-key certificates created by a trusted CA that meets the requirements of Annex A
- Validation of a hash of the public key sent by a separate channel (for example, mail)
- Using a MAC (message authentication code) created using the algorithm defined in ISO 16609
- Conveyance within an SCD
- Encrypted
8-4.b Validate that procedures dictate that self-signed certificates must not be used as the sole method of authentication.
8-4.c Observe the process for conveying public keys, associated logs, and interview responsible personnel to verify that the implemented method ensures public keys are conveyed in a manner that protects their integrity and authenticity.

Название	Severity	IP	Integral
1111111 111 11 1111 11111111111111111 1111111 1 11111111111111111	-	1	-
11 111111111 111 1111111111111111111111111 1111 1 11111 1111111	-	1	-

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.