PCI PIN Security v3.1

PIN Security Requirements:
13-1 Clear-text secret and private keys and key components must be transferred into an SCD only when it can be ensured that: 

13-1 Observe key-loading environments, processes, and mechanisms (for example, terminals, PIN pads, key guns, etc.) used to transfer keys and key components. Perform the following: 

PIN Security Requirements:
13-2 Only SCDs shall be used in the loading of clear-text secret or private keys or their components outside of a secure key-loading facility, as delineated in the requirements in this Annex. For example, ATM controller (computer) keyboards or those attached to an HSM shall never be used for the loading of clear-text secret or private keys or their components.
Note: The addition of applications⎯e.g., component, share, or key-loading applications⎯that replace or disable the PCI evaluated firmware functionality invalidates the device approval for each such implementation unless those applications are validated for compliance to PTS POI Security Requirements and listed as such in the approval listings.
Testing Procedures:
13-2.a Examine documentation to verify that only SCDs are used in the loading of clear-text secret or private keys or their components, outside of a secure key-loading facility, as delineated in this Annex. For example, ATM keyboards or keyboards attached to an HSM shall never be used for the loading of clear-text secret or private keys or their components.
13-2.b Observe a demonstration of key loading to verify that only SCDs are used in the loading of clear-text secret or private keys or their components outside of a secure key-loading facility. 

PIN Security Requirements:
13-3 The loading of plaintext secret or private key components or shares from an electronic medium—e.g., smart card, thumb drive, fob or other devices used for data transport—directly into a cryptographic device (and verification of the correct receipt of the component, if applicable) results in either of the following: 

13-3.a Examine documented procedures for the loading of secret or private key components from an electronic medium to a cryptographic device. Verify that procedures define specific instructions to be followed as a result of key loading, including: 

13-3.b Observe key-loading processes to verify that the loading process results in one of the following: 

13-3.c Examine records/logs of erasures to confirm that: 

PIN Security Requirements:
13-4.1 The key-loading device must be a physically secure SCD, designed and implemented in such a way that any unauthorized disclosure of the key is prevented or detected.
Note: A PCI-approved KLD meets this requirement for a SCD.
Testing Procedures:
13-4.1 Verify the key-loading device is a physically secure SCD designed and implemented in such a way that any unauthorized disclosure of the key is prevented or detected. 

PIN Security Requirements:
13-4.2 The key-loading device must be under the supervision of a person authorized by management or stored in a secure container such that no unauthorized person can have access to it.
Testing Procedures:
13-4.2 Verify the key-loading device is under the supervision of a person authorized by management or stored in a secure container such that no unauthorized person can have access to it. 

PIN Security Requirements:
13-4.3 The key-loading device must be designed or controlled so that only authorized personnel under dual control can use and enable it to output a key into another SCD. Such personnel must ensure that a key-recording device is not inserted between the SCDs.
Testing Procedures:
13-4.3.a Verify the key-loading device is designed or controlled so that only authorized personnel under dual control can use and enable it to output a key into another SCD.
13-4.3.b Verify that both authorized personnel involved in key-loading activity inspect the key-loading device prior to use to ensure that a key-recording device has not been inserted between the SCDs. 

PIN Security Requirements:
13-4.4 The key-loading device must not retain any information that might disclose the key⎯e.g., allow replay of the key for injection into a non-SCD⎯that was installed in the device or a key that it has successfully transferred.
Testing Procedures:
13-4.4 Verify the key-loading device does not retain any information that might disclose the key or a key that it has successfully transferred. For example, attempt to output the same value more than one time from the device or cause the device to display check values for its contents both before and after injection and compare. 

PIN Security Requirements:
13-5 Any media (electronic or otherwise) containing secret or private key components or shares used for loading cryptographic keys must be maintained in a secure storage location and accessible only to authorized custodian(s).
When removed from the secure storage location, media or devices containing key components or used for the injection of clear-text cryptographic keys must be in the physical possession of only the designated component holder(s), and only for the minimum practical time necessary to complete the key-loading process.
The media upon which a component resides must be physically safeguarded at all times when removed from secure storage.
Key components that can be read/displayed (for example, those printed on paper or stored on magnetic cards, PROMs, or smartcards) must be managed so they are never used in a manner that would result in the component being displayed in clear text to anyone who is not a designated custodian for that component.
Testing Procedures:
13-5.a Interview personnel and observe media locations to verify that the media is maintained in a secure storage location accessible only to custodian(s) authorized to access the key components.
13-5.b Examine documented procedures for removing media or devices containing key components—or that are otherwise used for the injection of cryptographic keys—from the secure storage location. Verify procedures include the following: 

13-5.c Interview designated component holder(s) and examine key-management logs to verify that media or devices removed from secure storage are in the physical possession of only the designated component holder.
13-5.d Interview key-injection personnel and examine logs for the removal of media/devices from secure storage to verify they are removed only for the minimum practical time necessary to complete the key-loading process. 

PIN Security Requirements:
13-6 If the component is in human-readable form (e.g., printed within a PIN-mailer type document), it must be visible only to the designated component custodian and only for the duration of time required for this person to privately enter the key component into an SCD.
Testing Procedures:
13-6 Validate through interview and observation that printed key components are not opened until just prior to entry into the SCD. Plaintext secret and/or private keys and/or their components are visible only to key custodians for the duration of loading into an SCD. 

PIN Security Requirements:
13-7 Written or printed key-component documents must not be opened until immediately prior to use.
Testing Procedures:
13-7.a Examine documented procedures and confirm that printed/written key-component documents are not opened until immediately prior to use.
13-7.b Observe key-loading processes and verify that printed/written key components are not opened until immediately prior to use. 

PIN Security Requirements:
13-8 A person with access to any component or share of a secret or private key, or to the media conveying this value, must not have access to other components or shares of this key or to any other medium containing other components or shares of this key that are sufficient to form the necessary threshold to derive the key.
E.g., in an m-of-n scheme (which must use a recognized secret-sharing scheme such as Shamir), such that any three key components or shares (i.e., m = 3) can be used to derive the key, no single individual can have access to more than two components/shares.
Testing Procedures:
13-8.a Examine documented procedures for the use of key components to verify that procedures ensure that any individual custodian only has access to their assigned components and never has access to sufficient key components to reconstruct a cryptographic key.
13-8.b Examine key-component access controls and access logs to verify that any single authorized custodians can and has only had access to their assigned component(s) and cannot access sufficient key components to reconstruct a cryptographic key. 

PIN Security Requirements:
13-9.1 PCs and similar devices must be: 

PIN Security Requirements:
13-9.2 All hardware used in key loading (including the PC) must be managed under dual control. Key-injection must not occur unless there are minimally two individuals in the key-injection room at all times during the process. If a situation arises that would cause only one person to be in the room, all individuals must exit until at least two can be inside.
Testing Procedures:
13-9.2 Verify through interviews and observation that: 

PIN Security Requirements:
13-9.3 PC access and use must be monitored, and logs of all key loading must be maintained. These logs must be retained for a minimum of three years. The logs must be regularly (no less frequently than weekly) reviewed by an authorized person who does not have access to the room or to the PC. The reviews must be documented. The logs must include but not be limited to: 

13-9.3.a Verify through interviews and observation that logs of key-loading activities are maintained and meet the following: 

13-9.3.b Verify through interviews and observation that logs of key-loading activities are maintained and meet the following: 

PIN Security Requirements:
13-9.4.1 Cable attachments and the key-loading device must be examined before each use to ensure the equipment is free from tampering.
Testing Procedures:
13-9.4.1 Cable attachments and the key-loading device are examined before each use to ensure the equipment is free from tampering. 

PIN Security Requirements:
13-9.4.2 The key-loading device must be started from a powered-off position every time key-loading activities occur.
Testing Procedures:
13-9.4.2 The key-loading device is started from a powered-off position every time key-loading activities occur. 

PIN Security Requirements:
13-9.4.3 The software application must load keys without recording any clear-text values on portable media or other unsecured devices.
Testing Procedures:
13-9.4.3 The software application loads keys without recording any clear-text values on portable media or other unsecured devices.

PIN Security Requirements:
13-9.4.4 Clear-text keys must not be stored except within an SCD.
Testing Procedures:
13-9.4.4 Clear-text keys are not stored except within an SCD. 

PIN Security Requirements:
13-9.4.5 The personnel responsible for the systems administration of the PC (e.g., a Windows administrator who configures the PC’s user IDs and file settings, etc.) must not have authorized access into the room—they must be escorted by authorized key-injection personnel—and they must not have user IDs or passwords/authentication codes to operate the key-injection application.
Testing Procedures:
13-9.4.5 Personnel responsible for the systems administration of the PC do not have authorized access into the room—i.e., they are escorted by authorized key-injection personnel—and do not have user IDs or passwords/authentication codes to operate the key-injection application. 

PIN Security Requirements:
13-9.4.6 The key-injection personnel must not have system-administration capability at either the O/S or the application level on the PC.
Testing Procedures:
13-9.4.6 Key-injection personnel do not have system-administration capability at either the O/S or the application level on the PC. 

PIN Security Requirements:
13-9.4.7 The PC must not be able to boot from external media (e.g., USB devices or CDs). It must boot from the hard drive only.
Testing Procedures:
13-9.4.7 The PC is not able to boot from external media (e.g., USB devices or CDs). It must boot from the hard drive only. 

PIN Security Requirements:
13-9.4.8 Key-injection facilities must cover all openings on the PC that are not used for key-injection with security seals that are tamper-evident and serialized. Examples include but are not limited to PCMCIA, network, infrared and modem connections on the PC, and access to the hard drive and memory. The seals must be recorded in a log, and the log must be maintained along with the other key-loading logs in a dualcontrol safe. Verification of the seals must be performed prior to key-loading activities.
Testing Procedures:
13-9.4.8 All openings on the PC that are not used for key-injection are covered with security seals that are tamper-evident and serialized. The seals are recorded in a log, and the log is maintained along with the other keyloading logs in a dual-control safe. Verification of the seals must be performed prior to key-loading activities. 

PIN Security Requirements:
13-9.4.9 If the PC application reads or stores clear-text key components, for example, BDKs or TMKs, from portable electronic media (e.g., smart cards), the media must be secured as components under dual control when not in use. The key components must be manually entered at the start of each key-injection session from components that are maintained under dual control and split knowledge.
Note: For DUKPT implementations, the BDK must be loaded from components each time and this requires manual tracking of the device ID counter and serial numbers from the previous key-loading session. Key-injection facilities with PC applications that require passwords/authentication codes to be used to initiate decryption of keys on portable electronic media (e.g., smart cards) must ensure the passwords/authentication codes are maintained under dual control and split knowledge.
Testing Procedures:
13-9.4.9 If the PC application reads or stores keys (e.g., BDKs or TMKs) from portable electronic media (e.g., smart cards), the media is secured as components under dual control when not in use. The key components are manually entered at the start of each key-injection session from components that are maintained under dual control and split knowledge. 

PIN Security Requirements:
13-9.4.10 Manufacturer’s default passwords/authentication codes for PC-based applications must be changed.
Testing Procedures:
13-9.4.10 Manufacturer’s default passwords/authentication codes for PC-based applications are changed.