Соответствие требованиям

Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Наш канал

PCI PIN Security v3.1

Framework

В Requirement 29

Для проведения оценки соответствия по документу войдите в систему.

Список требований

Normative Annex B – Key-Injection Facilities
Control Objective 7: Equipment used to process PINs and keys is managed in a secure manner
Requirement 29: PIN-processing equipment (e.g., POI devices and HSMs) must be placed into service only if there is assurance that the equipment has not been substituted or subjected to unauthorized modifications or tampering prior to the deployment of the device—both prior to and subsequent to the loading of cryptographic keys—and that precautions are taken to minimize the threat of compromise once deployed.
Key-injection facilities must ensure that only legitimate, unaltered devices are loaded with cryptographic keys.
Secure rooms must be established for inventory that includes securing PEDs that have not had keys injected. The area must have extended walls from the real floor to the real ceiling using sheetrock, wire mesh, or equivalent. Equivalence can be steel cages extending floor to real ceiling. The cages can have a steel cage top in lieu of the sides extending to the real ceiling. The cages must have locks (with logs) or badge control with logging for entry
PIN Security Requirements:
29-1 Secure cryptographic devices—such as HSMs and POI devices (e.g., PEDs and ATMs)—must be placed into service only if there is assurance that the equipment has not been subject to unauthorized modification, substitution, or tampering and has not otherwise been subject to misuse prior to deployment.
Note: This applies to SCDS used for key injection or code signing, including display prompts.
Testing Procedures:
29-1.a Examine documented procedures to confirm that processes are defined to provide the following assurances prior to the loading of cryptographic keys:
POIs have not been substituted or subjected to unauthorized modifications or tampering.
SCDs used for key injection/loading or code signing have not been substituted or subjected to unauthorized modifications or tampering.
29-1.b Observe processes and interview personnel to verify that processes are followed to provide the following assurances prior to the loading of cryptographic keys:
POIs have not been substituted or subjected to unauthorized modifications or tampering.
SCDs used for key injection/loading or code signing have not been substituted or subjected to unauthorized modifications or tampering.
PIN Security Requirements:
29-1.1 All POIs and other SCDs must be protected against compromise. Any compromise must be detected. Loading and use of any financial keys after the compromise must be prevented. Controls must include the following:
Testing Procedures:
29-1.1 Examine documented procedures to verify controls are defined to protect POIs and other SCDs from unauthorized access up to point of deployment.
PIN Security Requirements:
29-1.1.1 Access to all POIs and other SCDs is documented, defined, logged, and controlled such that unauthorized individuals cannot access, modify, or substitute any device without detection.
The minimum log contents include date and time, object name/identifier, purpose, name of individual(s) involved, signature or electronic capture (e.g., badge) of individual involved and if applicable, tamper-evident package number(s) and serial number(s) of device(s) involved. Electronic logging⎯e.g., using bar codes⎯is acceptable for device tracking.
Testing Procedures:
29-1.1.1.a Examine access-control documentation and device configurations to verify that access to all POIs and key-injection/loading devices is defined and documented.
29-1.1.1.b For a sample of POIs and other SCDs, observe authorized personnel accessing devices and examine access logs to verify that access to all POIs and other SCDs is logged.
29-1.1.1.c Examine implemented access controls to verify that unauthorized individuals cannot access, modify, or substitute any POI or other SCD.
PIN Security Requirements:
29-1.1.2 All personnel with access to POIs and other SCDs prior to deployment are documented in a formal list and authorized by management. A documented security policy must exist that requires the specification of personnel with authorized access to all secure cryptographic devices. This includes documentation of all personnel with access to POIs and other SCDs as authorized by management. The list of authorized personnel is reviewed at least annually.
Testing Procedures:
29-1.1.2.a Examine documented authorizations for personnel with access to devices to verify that prior to deployment:
All personnel with access to POIs and other SCDs are authorized by management in an auditable manner.
The authorizations are reviewed annually.
29-1.1.2.b For a sample of POIs and other SCDs, examine implemented access controls to verify that only personnel documented and authorized in an auditable manner have access to devices.
PIN Security Requirements:
29-1.2 POIs and other SCDs must not use default keys or data (such as keys that are pre-installed for testing purposes) or passwords/authentication codes.
Testing Procedures:
29-1.2.a Examine vendor documentation or other information sources to identify default keys (such as keys that are pre-installed for testing purposes), passwords, or data.
29-1.2.b Observe implemented processes and interview personnel to verify that default keys or passwords are not used.
PIN Security Requirements:
29-2 Implement a documented “chain of custody” to ensure that all devices are controlled from receipt to placement into service. The chain of custody must include records to identify responsible personnel for each interaction with the devices.
Note: Chain of custody includes procedures, as stated in Requirement 29-1, that ensure that access to all POI devices and other SCDs is documented, defined, logged, and controlled such that unauthorized individuals cannot access, modify, or substitute any device without detection.
Testing Procedures:
29-2.a Examine documented processes to verify that the chain of custody is required for devices from receipt to placement into service.
29-2.b For a sample of devices, examine documented records and interview responsible personnel to verify the chain of custody is maintained from receipt to placement into service.
29-2.c Verify that the chain-of-custody records identify responsible personnel for each interaction with the device.
PIN Security Requirements:
29-3 Implement physical protection of devices from the manufacturer’s facility up to the point of key-insertion and deployment, through one or more of the following:
Transportation using a trusted courier service (for example, via bonded carrier). The devices are then securely stored until key-insertion and deployment occurs.
Use of physically secure and trackable packaging (for example, preserialized, counterfeit-resistant, tamper-evident packaging). The devices are then stored in such packaging, or in secure storage, until key insertion and deployment occurs.
A secret, device-unique “transport-protection token” is loaded into the secure storage area of each device at the manufacturer’s facility. The SCD used for key-insertion verifies the presence of the correct “transport-protection token” before overwriting this value with the initial key, and the device is further protected until deployment.
Upon tamper of the device it becomes infeasible to load any keying material.
Shipped and stored containing a secret that:
Is immediately and automatically erased if any physical or functional alteration to the device is attempted, and
Can be verified by the initial key-loading facility, but that cannot feasibly be determined by unauthorized personnel.
Each cryptographic device is carefully inspected and tested immediately prior to key-insertion and deployment using due diligence. This is done to provide reasonable assurance that it is the legitimate device and that it has not been subject to any unauthorized access or modifications. Note: Unauthorized access includes that by customs officials.
Devices incorporate self-tests to ensure their correct operation. Devices must not be re-installed unless there is assurance they have not been tampered with or compromised. Note: This control must be used in conjunction with one of the other methods.
Controls exist and are in use to ensure that all physical and logical controls and anti-tamper mechanisms used are not modified or removed.
Testing Procedures:
29-3.a Examine documented procedures to confirm that they require physical protection of devices from the manufacturer’s facility up to the point of key-insertion and deployment, through one or more of the defined methods.
29-3.b Interview responsible personnel to verify that one or more of the defined methods are in place to provide physical device protection for devices, from the manufacturer’s facility up to the point of key-insertion and deployment.
PIN Security Requirements:
29-4 Dual-control mechanisms must exist to prevent substitution or tampering of HSMs—both deployed and spare or back-up devices—throughout their life cycle. Procedural controls, which may be a combination of physical barriers and logical controls, may exist to support the prevention and detection of substituted HSMs but must not supplant the implementation of dual-control mechanisms.
Testing Procedures:
29-4.a Examine documented procedures to confirm that dual-control mechanisms exist to prevent substitution or tampering of HSMs—both deployed and spare or back-up devices—throughout their life cycle.
29-4.b Interview responsible personnel and physically verify the dual-control mechanism used to prevent substitution or tampering of HSMs—both in service and spare or back-up devices—throughout their life cycle.
PIN Security Requirements:
29-4.1 HSM serial numbers must be compared to the serial numbers documented by the sender (sent using a different communication channel from the device) to ensure device substitution has not occurred. A record of device serial-number verification must be maintained.
Note: Documents used for this process must be received via a different communication channel—i.e., the control document used must not have arrived with the equipment. An example of how serial numbers may be documented by the sender includes but is not limited to the manufacturer’s invoice or similar document.
Testing Procedures:
29-4.1.a Interview responsible personnel to verify that device serial numbers are compared to the serial number documented by the sender.
29-4.1.b For a sample of received devices, examine sender documentation sent via a different communication channel than the device’s shipment (for example, the manufacturer’s invoice or similar documentation) used to verify device serial numbers. Examine the record of serial-number validations to confirm the serial number for the received device was verified to match that documented by the sender.
PIN Security Requirements:
29-4.2 The security policy enforced by the HSM must not allow unauthorized or unnecessary functions. HSM API functionality and commands that are not required to support specified functionality must be disabled before the equipment is commissioned.
For example, for HSMs used in transaction processing operations:
- PIN-block format translation functionality is in accordance with Requirement 3, or non-ISO PIN-block formats must not be supported without a defined documented and approved business need.
- HSMs used for acquiring functions shall not be configured to output clear-text PINs or support PIN-change functionality. Documentation (e.g., a checklist or similar suitable to use as a log) of configuration settings must exist and be signed and dated by personnel responsible for the implementation. This documentation must include identifying information for the HSM, such as serial number and/or asset identifiers. This documentation must be retained and updated for each affected HSM any time changes to configuration settings would impact security.
Testing Procedures:
29-4.2.a Obtain and examine the defined security policy to be enforced by the HSM.
29-4.2.b Examine documentation of the HSM configuration settings from past commissioning events to determine that the functions and commands enabled are in accordance with the security policy.
29-4.2.c For a sample of HSMs, examine the configuration settings to determine that only authorized functions are enabled.
29-4.2.d Verify that PIN-change functionality, PIN-block format translation functionality, or non-ISO PIN-block formats are not supported without a defined documented and approved business need.
29-4.2.e Verify that functionality is not enabled to allow the outputting of clear-text PINs.
29-4.2.f Examine documentation to verify:
- Configuration settings are defined, signed and dated by personnel responsible for implementation.
- It includes identifying information for the HSM, such as serial number and/or asset identifiers.
- The documentation is retained and updated anytime configuration setting impacting security occur for each affected HSM.
PIN Security Requirements:
29-4.3 When HSMs are connected to online systems, controls are in place to prevent the use of an HSM to perform privileged or sensitive functions that are not available during routine HSM operations.
Examples of sensitive functions include but are not limited to: loading of key components, outputting clear-text key components, and altering HSM configuration.
Testing Procedures:
29-4.3 Examine HSM configurations and observe processes to verify that HSMs are not enabled in a sensitive state when connected to online systems.
PIN Security Requirements:
29-4.4 Inspect and test all HSMs—either new or retrieved from secure storage—prior to installation to verify devices have not been tampered with or compromised. Processes must include:
Testing Procedures:
29-4.4 Examine documented procedures to verify they require inspection and testing of HSMs prior to installation to verify integrity of device.
PIN Security Requirements:
29-4.4.1 Running self-tests to ensure the correct operation of the device
Testing Procedures:
29-4.4.1 Examine records of device inspections and test resu lts to verify that self-tests are run on devices to ensure the correct operation of the device.
PIN Security Requirements:
29-4.4.2 Installing (or re-installing) devices only after confirming that the device has not been tampered with or compromised
Testing Procedures:
29-4.4.2 Observe inspection processes and interview responsible personnel to verify that devices are installed, or reinstalled, only after confirming that the device has not been tampered with or compromised.
PIN Security Requirements:
29-4.4.3 Physical and/or functional tests and visual inspection to confirm that physical and logical controls and anti-tamper mechanisms are not modified or removed
Testing Procedures:
29-4.4.3 Observe inspection processes and interview responsible personnel to confirm processes include physical and/or functional tests and visual inspection to verify that physical and logical controls and anti-tamper mechanisms are not modified or removed
PIN Security Requirements:
29-4.4.4 Maintaining records of the tests and inspections, and retaining records for at least one year
Testing Procedures:
29-4.4.4.a Examine records of inspections and interview responsible personnel to verify records of the tests and inspections are maintained.
29-4.4.4.b Examine records of inspections to verify records are retained for at least one year.
PIN Security Requirements:
29-5 Maintain HSMs in tamper-evident packaging or in secure storage until ready for installation.
Testing Procedures:
29-5.a Examine documented procedures to verify they require devices be maintained in tamper-evident packaging until ready for installation.
29-5.b Observe a sample of received devices to verify they are maintained in tamper-evident packaging until ready for installation.

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.