PCI PIN Security v3.1

PIN Security Requirements:
12-1 The loading of secret or private keys, when loaded from the individual key components, must be managed using the principles of dual control and split knowledge. Note: Manual key loading may involve the use of media such as paper, smart cards, or other physical tokens.
Testing Procedures:
12-1.a Using the summary of cryptographic keys, identify keys that are loaded from components and examine documented process to load each key type (MFK, TMK, PEK, etc.) from components to ensure dual control and split knowledge are required.
12-1.b Interview appropriate personnel to determine the number of key components for each manually loaded key.
12-1.c Witness a structured walk-through/demonstration of various key-loading processes for all key types (MFKs, TMKs, PEKs. etc.). Verify the number and length of the key components against information provided through verbal discussion and written documentation.
12-1.d Verify that the process includes the entry of individual key components by the designated key custodians.
12-1.e Ensure key-loading devices can only be accessed and used under dual control 

PIN Security Requirements:
12-2 Procedures must be established that will prohibit any one person from having access to components sufficient to form an encryption key when components are removed from and returned to storage for key loading.
Testing Procedures:
12-2 Examine logs of access to security containers for key components/shares to verify that only the authorized custodian(s) have accessed. Compare the number on the current tamper-evident and authenticable package for each component to the last log entry for that component. 
Trace historical movement of higher-order keys (MFK, KEK, and BDK) in and out of secure storage to ensure there is no break in the package-number chain that would call into question authorized handling and sufficient storage of the component or share. This must address at a minimum the time frame from the date of the prior audit. 

PIN Security Requirements:
12-3 The loading of clear-text cryptographic keys using a key-loading device requires dual control to authorize any key-loading session. It shall not be possible for a single person to use the key-loading device to load clear keys alone. 
Dual control must be implemented using one or more of, but not limited to, the following techniques: 

Note: For devices that do not support two or more passwords/authentication codes, this may be achieved by splitting the single password used by the device into two halves, each half controlled by a separate authorized custodian. Each half must be a minimum of five characters. Note: Passwords/authentication codes to the same object may be assigned to a custodian group team⎯e.g., custodian team for component A. Note: The addition of applications that replace or disable the PCI-evaluated firmware functionality invalidates the device approval for each such implementation unless those applications are validated for compliance to PTS POI Security Requirements and listed as such in the approval listings.
Testing Procedures:
12-3.a Identify instances where a key-loading device is used to load clear-text keys. Examine documented procedures for loading of clear-text cryptographic keys, including public keys, to verify: 

12-3.b For each type of production SCDs loaded with a key-loading device, observe the processes (e.g., a demonstration) of loading clear-text cryptographic keys and interview personnel. Verify that: 

12-3.c Examine documented records of key-loading to verify the presence of two authorized persons during each type of key-loading activity.
12-3.d Ensure that any default dual-control mechanisms (e.g., default passwords/authentication codes—usually printed in the vendor's manual—in a key-loading device) have been disabled or changed. 

PIN Security Requirements:
12-4 Key components for symmetric keys must be combined using a process such that no active bit of the key can be determined without knowledge of the remaining components. (For example, via XOR‘ing of full-length components.)
Note: Concatenation of key components together to form the key is unacceptable; e.g., concatenating two 8-hexadecimal character halves to form a 16-hexadecimal secret key.
The resulting key must only exist within the SCD.
Testing Procedures:
12-4.a Examine documented procedures for combining symmetric key components and observe processes to verify that key components are combined using a process such that no active bit of the key can be determined without knowledge of the remaining components⎯e.g. only within an SCD.
12-4.b Confirm key-component lengths through interview and examination of blank component forms and documented procedures. Examine device configuration settings and interview personnel to verify that key components used to create a key are the same length as the resultant key. 

PIN Security Requirements:
12-5 Hardware security module (HSM) Master File Keys, including those generated internal to the HSM and never exported, must be at least doublelength keys and use the TDEA (including parity bits) or AES using a key size of at least 128 bits.
Testing Procedures:
12-5 Examine vendor documentation describing options for how the HSM MFK is created and verify the current MFK was created using AES or double- or triplelength TDEA. Corroborate this via observation of processes, with information gathered during the interview process, and procedural documentation provided by the entity under review. 

PIN Security Requirements:
12-6 Any other SCD loaded with the same key components must combine all entered key components using the identical process.
Testing Procedures:
12-6 Through examination of documented procedures, interviews, and observation, confirm that any devices that are loaded with the same key components use the same mathematical process to derive the final key, 

PIN Security Requirements:
12-7 The initial terminal master key (TMK) or initial DUKPT key must be loaded to the device using either asymmetric key-loading techniques or manual techniques—e.g., the device keypad, IC cards, key-loading device, etc. Subsequent loading of the terminal master key may use techniques described in this document such as: 

For AES DUKPT, using the option to derive a key-encryption key called the DUKPT Update Key, so that the host can send a device a new initial key encrypted under that key. Note this also requires that a new initial key ID is also sent.
Keys shall not be reloaded by any methodology in the event of a compromised device and must be withdrawn from use.
Testing Procedures:
12-7.a Examine documented procedures for the loading of TMKs and initial DUKPT keys to verify that they require asymmetric key-loading techniques or manual techniques for initial loading and allowed methods for replacement TMK or initial DUKPT key loading.
12-7.b Examine documented procedures to verify that keys are withdrawn from use if they were loaded to a device that has been compromised or went missing. 

PIN Security Requirements:
12-8 If key-establishment protocols using public-key cryptography are used to distribute secret keys, these must meet the requirements detailed in Annex A of this document. For example: 

PIN Security Requirements:
12-9 Key-injection facilities must implement dual control and split-knowledge controls for the loading of keys into devices (for example, POIs and other SCDs).
Note: Such controls may include but are not limited to: 

12-9.a Examine documented key-injection procedures to verify that the procedures define use of dual control and split knowledge controls for the loading of keys into devices. 

12-9.b Interview responsible personnel and observe key-loading processes and controls to verify that dual control and split-knowledge controls are in place for the loading of keys into devices.
12-9.c Examine records of key-loading processes and controls to verify that the loading of keys does not occur without dual control and split knowledge.